Re: Questions about Integrated Windows Authentication
Sorry Mark, I've clicked the wrong button in my mail client :( On 28.06.2021 15:29, Mark Thomas wrote: Note that Tomcat 7 is no longer supported. I guess it's nearly the same for all versions of Tomcat. That looks more like some form of configuration issue but I always found the Kerberos error message rather hard to decipher. AFAIK, the Kerberos is working fine. This error occurs in JNDIRealm's getPrincipal method. One log line before, Kerberos reports Found ticket for HTTP/apps.atlas-03t.gvsn.local@GVSN.LOCAL to go to krbtgt/GVSN.LOCAL@GVSN.LOCAL expiring on Thu Jun 24 18:26:05 CEST 2021 So, there is a ticket. However, JNDIRealm cannot use it or the ticket does not allow binding to the directory with that user. I'm not understanding the whole process, so I was asking if someone has more glue on that. 2. Fallback Authenticator It has been mentioned before. There is this on the Wiki: https://cwiki.apache.org/confluence/display/TOMCAT/SSLWithFORMFallback Will have a look at that. It's basically what I was thinking about adding a fallback to SpnegoAuthenticator only. As with most enhancements, whether it is accepted is going to depend largely on the benefit it brings vs how complex / invasive the code is. For sure. Rémy mentioned he was looking for a development project. Maybe this could be it. I guess, Rémy was taking my user attributes Realm extension as development project... You might be able to authenticate external users in a reverse proxy and have it pass the user ID to Tomcat rather than have Tomcat do the authentication. I read about that somewhere some months ago. However, I don't know how to get the authentication from the reverse proxy (my Tomcat already runs behind an Apache HTTPD using mod_proxy_ajp) to Tomcat? Finally, Tomcat needs the Principal and a couple of roles for authorization (including my additional user attributes). Passing the user ID only is likely not sufficient. Could you please describe that in more detail or point me to some sites to learn more about that? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Questions about Integrated Windows Authentication
On 28/06/2021 10:36, Carsten Klein wrote: Hi there, I have two questions about Tomcat's Integrated Windows Authentication: Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS. Note that Tomcat 7 is no longer supported. 1. useDelegatedCredential = true I'm using JNDIRealm together with the SPNEGO authenticator. If the Realm's option 'useDelegatedCredential' is set to true, I'm getting exception: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]]; remaining name 'xxx.yyy.zzz...' Everything works fine when not using delegated credentials, but configured connectionName and connectionPassword. What's the reason for that? Is it a Tomcat configuration issue? Or, is the client (Google Chrome) not sending enough (credential?) information: There is Chrome's Policy option 'AuthNegotiateDelegateWhitelist' (deprecated, replaced by 'AuthNegotiateDelegateAllowlist') which must be configured in order to delegate the user's identity. However, setting any of these policy settings to true does not help. See https://www.chromium.org/developers/design-documents/http-authentication Is it a limitation/setting in Active Directory Server? The exception occurs after SpnegoAuthenticator has contacted ADS trough Kerberos. Is the response obtained from that Kerberos call not suitable for using delegated credentials? That looks more like some form of configuration issue but I always found the Kerberos error message rather hard to decipher. 2. Fallback Authenticator We have some clients connected through VPN, whose Windows sessions are not logged on to the Active Directory's Windows Domain, so Integrated Windows Authentication cannot work. SpnegoAuthenticator reports 'No authorization header sent by client'. However, I've not yet found a way to fall back to e. g. FORM authentication for those clients. AFAIK, there is no way to do this with Tomcat, since a Context can only have one single authenticator valve. Oracle's WebLogic Server support configuring more than one authentication method, by adding something like CLIENT-CERT,BASIC into web.xml. What about adding support for that or something similar in Tomcat? A CombinedAuthenticator (like with CombinedRealm) could be a solution. That could instantiate other required Authenticator valves and pass the request from one to the other until authentication succeeds. Those valves must not necessarily be queued in the container's pipeline, but could be called by the CombinedAuthenticator valve. Thats likely not too simple but it could be done. Are you open to such a solution? It has been mentioned before. There is this on the Wiki: https://cwiki.apache.org/confluence/display/TOMCAT/SSLWithFORMFallback As with most enhancements, whether it is accepted is going to depend largely on the benefit it brings vs how complex / invasive the code is. Rémy mentioned he was looking for a development project. Maybe this could be it. I believe that only the SpnegoAuthenticator needs such a fallback, as it uses mechanisms that you can't just add to any client. (In contrast, you could always distribute a X509 certificate or use FORM, BASIC, or DIGEST login. But you can't add your client to a Windows Domain just in order to log in to an application.) Adding a fallback mechanism to SpnegoAuthenticator only may be much easier. What other solutions do you know? You might be able to authenticate external users in a reverse proxy and have it pass the user ID to Tomcat rather than have Tomcat do the authentication. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Questions about Integrated Windows Authentication
Hi there, I have two questions about Tomcat's Integrated Windows Authentication: Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS. 1. useDelegatedCredential = true I'm using JNDIRalm together with the SPNEGO authenticator. If the Realm's option 'useDelegatedCredential' is set to true, I'm getting exception: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]]; remaining name 'xxx.yyy.zzz...' Everything works fine when not using delegated credentials, but configured connectionName and connectionPassword. What's the reason for that? Is it a Tomcat configuration issue? Or, is the client (Google Chrome) not sending enough (credential?) information: There is Chrome's Policy option 'AuthNegotiateDelegateWhitelist' (deprecated, replaced by 'AuthNegotiateDelegateAllowlist') which must be configured in order to delegate the user's identity. However, setting any of these policy settings to true does not help. See https://www.chromium.org/developers/design-documents/http-authentication Is it a limitation/setting in Active Directory Server? The exception occurs after SpnegoAuthenticator has contacted ADS trough Kerberos. Is the response obtained from that Kerberos call not suitable for using delegated credentials? 2. Fallback Authenticator We have some clients connected through VPN, whose Windows sessions are not logged on to the Active Directory's Windows Domain, so Integrated Windows Authentication cannot work. SpnegoAuthenticator reports 'No authorization header sent by client'. However, I've not yet found a way to fall back to e. g. FORM authentication for those clients. AFAIK, there is no way to do this with Tomcat, since a Context can only have one single authenticator valve. Oracle's WebLogic Server support configuring more than one authentication method, by adding something like CLIENT-CERT,BASIC into web.xml. What about adding support for that or something similar in Tomcat? A CombinedAuthenticator (like with CombinedRealm) could be a solution. That could instantiate other required Authenticator valves and pass the request from one to the other until authentication succeeds. Those valves must not necessarily be queued in the container's pipeline, but could be called by the CombinedAuthenticator valve. Thats likely not too simple but it could be done. Are you open to such a solution? I believe that only the SpnegoAuthenticator needs such a fallback, as it uses mechanisms that you can't just add to any client. (In contrast, you could always distribute a X509 certificate or use FORM, BASIC, or DIGEST login. But you can't add your client to a Windows Domain just in order to log in to an application.) Adding a fallback mechanism to SpnegoAuthenticator only may be much easier. What other solutions do you know? Carsten What other solutions do you know? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSO using Reverse Proxy from IIS to Apache Tomcat 8.0.22 (Use Windows Authentication NTLM)
Hi Team, We are trying to do implement SSO using windows integrated authentication (NTLM) on Apache Tomcat 8.0.22 for Rest API calls. We are following "Windows Authentication How To" --> Reverse Proxies --> Microsoft IIS. We configured ISAPI_Redirect.dll for reverse proxy. But facing some issues with it, can you please help us with the below : 1. Our application (Siebel) listens to HTTP protocol but seems like ISAPI_Redirect reverse proxy uses AJP connector Protocol, Is there any document which can help us configure reverse proxy with HTTP protocol? 2. We are using Windows Authentication NTLM approach (We cannot use Kerberos as per the company guidelines), are there any known issue using WIA with Apache 3. Please suggest if there is any better approach to achieve SSO for Rest calls using Windows Integrated Authentication on windows server. Any help would be very much appreciated, thanks again for your time. Thanks & Regards, Suraj Agrawal -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
Re: Integrated Windows Authentication for TomCat 7
On 25/05/2016 07:02, Clinton Breed wrote: > Good day All > > We are running a web app named n-able Helpdesk Manager via TomCat 7 on a > Windows Server 2008. > > The Tomcat gets installed via the n-able helpdesk installation. I have > been assigned a task to get the Helpdesk Webapp to login automatically > gathering the information from the windows login. (automatic LDAP > authentication) > > I have done some research and found out that it is possible to integrate > the windows authentication through Tomcat (SPNEGO), but my question is, > how to I get past the Login on the Webapp (n-able Helpdesk) > > The authentication options I have on n-able Helpdesk is: > > n-able Help Desk Manager (Where you create user login details) > > CAS 2.0 > > SAML 2.0 > > Servlet Authentication I'd guess this is the option you need. I'd start with a simple web application and make sure that SPNEGO is working correctly. A JSP that displays the current value of HttpServletRequest.getRemoteUser() with an appropriate security constraint should be enough to test with. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Integrated Windows Authentication for TomCat 7
Good day All We are running a web app named n-able Helpdesk Manager via TomCat 7 on a Windows Server 2008. The Tomcat gets installed via the n-able helpdesk installation. I have been assigned a task to get the Helpdesk Webapp to login automatically gathering the information from the windows login. (automatic LDAP authentication) I have done some research and found out that it is possible to integrate the windows authentication through Tomcat (SPNEGO), but my question is, how to I get past the Login on the Webapp (n-able Helpdesk) The authentication options I have on n-able Helpdesk is: n-able Help Desk Manager (Where you create user login details) CAS 2.0 SAML 2.0 Servlet Authentication HTTP Header HTTP form value I have little experience in regards with the above authentication aswell as tomcat, proper guidance will be appreciated. Please feel free to ask for more information if you need it. Thanks, Clinton Breed Systems Analyst Lonrho Group Corner of Webb and Jones Roads Jet Park Boksburg, Johannesburg1459 South Africa Tel: +27 11 571 9869 clinton.br...@lonrho.com www.lonrho.com Lonrho Group Please consider the Environment before printing this email This e-mail (and any attachment) is strictly confidential and intended solely for the ordinary use of the e-mail address to which it was addressed. It may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, please notify the sender by e-mail or telephone +44 (0) 207 016 5105, quoting the name of the sender and the e-mail address to which it has been sent, then delete it. The unauthorised use, disclosure, distribution and/or copying of this e-mail or any information it contains is strictly prohibited and could, in certain circumstances, constitute a criminal offence. Please note that neither Lonrho nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments. The contents of this e-mail message and any attachments to it are written for and on behalf of the Lonrho Group company to which the subject matter expressly relates and no other company. No employee, agent, consultant or other representative of a Lonrho Group company is authorised to conclude any binding agreement on behalf of a Lonrho Group company without express written confirmation of the board of directors of the relevant Lonrho Group company. The Lonrho Group of companies accepts no liability for the content of this email or for the consequences of any actions taken on the basis of the information provided unless that information is subsequently confirmed in writing as specified above. A list of the Lonrho Group of companies is available for inspection at the registered office of Lonrho. Lonrho is registered in England & Wales under Company Number 02805337 and its registered office address is 2nd Floor, 25 Berkeley Square, London W1J 6HB.
Re: Windows Authentication
On 07.03.2016 11:39, André Warnier (tomcat) wrote: On 07.03.2016 06:10, Chanchal Kariwala wrote: The article which suggested that NTLM is being used by Winlogon instead of Kerberos : http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header So the token browser sends on first 401 starts from YHkG... And the second token begins with YIIK1QYG Check also this one : https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iisie/ As you see, there are a lot of things to check, one by one. That is because WIA (and Kerberos) are very fiddly, and even one little setting or circumstance can result in the thing not working (as in your case). P.S. The mere volume of articles on this subject in Google (e.g. "kerberos and wia" or "kerberos and IE") 1) by itself makes it difficult to know which one to read and believe 2) indicates that this is a complex subject, with which a lot of people have problems This list here is about Tomcat issues. There is an SPNEGO authentication Valve in Tomcat, and there are certainly some people on this list with some knowledge of WIA/Kerberos, but such issues are probably not their main focus, or their main area of expertise. You may have a bit more luck (or at least find more people focused on Windows authentication) on the Samba list for example. Maybe try here : https://lists.samba.org/mailman/listinfo/samba and supply all your previous information again, including the captured headers. That would definitely increase your chances of receiving a helpful response. It is not that we don't /want/ to help, but there are just too many external factors and settings which can play a role, that it is a bit overwhelming to try this one step remote from the problem. If you do in the end identify a specific problem with the Tomcat SPNEGO Valve, don't hesitate to come back and ask for help here again. Also, if you do find the solution, please post a short message to this list, so that maybe other people here with a similar issue could in the future find the solution in the list archives. (I presume you have already searched these archives for similar issues ?) Another thing, at a different level : if your main aim is to solve this issue quickly, then have a look at Jespa (https://www.ioplex.com/). I can testify that Jespa works fautlessly in several installations which I did. And just reading the User Manual may already give you some useful tips. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication
On 07.03.2016 06:10, Chanchal Kariwala wrote: The article which suggested that NTLM is being used by Winlogon instead of Kerberos : http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header So the token browser sends on first 401 starts from YHkG... And the second token begins with YIIK1QYG Check also this one : https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iisie/ Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Mon, Mar 7, 2016 at 10:19 AM, Chanchal Kariwala < chanchal.kariw...@seclore.com> wrote: In response to *George Stanchev*, I tried with Chrome and IE 11, same behavior in both. And yes I tried waffle, but in another webapp. Waffle does not prompt for the credentials.. In response to *André Warnier*, I tired that to no avail :( In response to *Felix Schumacher*, It is not a problem with the webapp. I have tried both of what you asked. Tomcat Keytab is authenticated successfully. And KRB debug shows success for the keytab. So here are my additional findings over the weekend. Background - My test AD is virtual. My Domain Controller and client are VMS. 1. *Windows Logon was using NTLM instead of Kerberos* Some article led me to the following assumption : When the browser receives WWW-Authenticate: Negotiate, it asks for the token from the OS Cache. The OS Cache provides it a token that was obtained via NTLM. The Server does not accept that since it specifically wants Kerberos. And hence the browser asks for Credentials again and this time the user is authenticated via Kerberos. And this token is accepted by the Server. 2. *Windows Logon by IP Address uses NTLM* I access the client machine (with tomcat) using RDP via the IP Address. The following question on StackExchange indicates that in such a scenario NTLM is used to logon to the system. See : http://serverfault.com/questions/357975/is-it-possible-to-switch-to-kerberos-only-windows-domain 3. *Kerberos Event Logging* The next thing I was trying to figure was why Windows logon was using NTLM. The above link suggests that there was no way of forcing LSA to use Kerberos only. So now I am looking at the System events, which might suggest which protocol is being used. Also I enabled Kerberos event logging to see if there were any Kerberos Errors. See : https://support.microsoft.com/en-us/kb/262177 Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Sat, Mar 5, 2016 at 3:57 PM, Felix Schumacher < felix.schumac...@internetallee.de> wrote: Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala: I tries what you asked and I have observed the following 1. Browser sends a request for the resource Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 2. Browser sends a new request with the following in Request Headers Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 3. At this point the browser shows HTTP Basic Auth form and sends the following in Headers Authorization: Negotiate YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge value, much much longer than the first one*) Now the Server replies with HTTP 200 and the following in headers WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly So yes WIA is failing.. Can you help me out with the next step in debugging? You can enable debugging for kerberos in the jvm and you can enable debug logs for the SpnegoAuthenticator in tomcat to get more information. To enable debug log messages in the jvm add -Dsun.security.krb5.debug=true to CATALINA_OPTS. The log messages will appear in catalina.out and are quite verbose. To enable debug log messages for SpnegoAuthenticator, add org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE to conf/logging.properties in your CATALINA_BASE directory. Regards, Felix Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat)wrote: On 04.03.2016 07:16, Chanchal Kariwala wrote: I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS
Re: Windows Authentication
The article which suggested that NTLM is being used by Winlogon instead of Kerberos : http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header So the token browser sends on first 401 starts from YHkG... And the second token begins with YIIK1QYG Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Mon, Mar 7, 2016 at 10:19 AM, Chanchal Kariwala < chanchal.kariw...@seclore.com> wrote: > In response to *George Stanchev*, > I tried with Chrome and IE 11, same behavior in both. And yes I tried > waffle, but in another webapp. Waffle does not prompt for the credentials. > > In response to *André Warnier*, > I tired that to no avail :( > > In response to *Felix Schumacher*, > It is not a problem with the webapp. I have tried both of what you asked. > Tomcat Keytab is authenticated successfully. And KRB debug > shows success for the keytab. > > So here are my additional findings over the weekend. > Background - My test AD is virtual. My Domain Controller and client are > VMS. > > 1. *Windows Logon was using NTLM instead of Kerberos* > > Some article led me to the following assumption : > > When the browser receives WWW-Authenticate: Negotiate, it asks for the > token from the OS Cache. The OS Cache provides it a token that was obtained > via NTLM. The Server does not accept that since it specifically wants > Kerberos. And hence the browser asks for Credentials again and this time > the user is authenticated via Kerberos. And this token is accepted by the > Server. > > > 2. *Windows Logon by IP Address uses NTLM* > > I access the client machine (with tomcat) using RDP via the IP Address. > The following question on StackExchange indicates that in > such a scenario NTLM is used to logon to the system. > > See : > http://serverfault.com/questions/357975/is-it-possible-to-switch-to-kerberos-only-windows-domain > > > 3. *Kerberos Event Logging* > > The next thing I was trying to figure was why Windows logon was using > NTLM. The above link suggests that there was no way of forcing > LSA to use Kerberos only. So now I am looking at the System events, which > might suggest which protocol is being used. > > Also I enabled Kerberos event logging to see if there were any Kerberos > Errors. > > See : https://support.microsoft.com/en-us/kb/262177 > > > Thanks, > Chanchal R. Kariwala > Product Engineer > Seclore Technology > chanchal.kariw...@seclore.com > > www.seclore.com > > > > On Sat, Mar 5, 2016 at 3:57 PM, Felix Schumacher < > felix.schumac...@internetallee.de> wrote: > >> Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala: >> >>> I tries what you asked and I have observed the following >>> >>> 1. Browser sends a request for the resource >>> Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response >>> Headers >>> >>> 2. Browser sends a new request with the following in Request Headers >>> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg >>> >>> Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in >>> Response Headers >>> >>> 3. At this point the browser shows HTTP Basic Auth form and sends the >>> following in Headers >>> Authorization: Negotiate >>> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge >>> value, much much longer than the first one*) >>> >>> Now the Server replies with HTTP 200 and the following in headers >>> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 >>> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly >>> >>> So yes WIA is failing.. >>> Can you help me out with the next step in debugging? >>> >> You can enable debugging for kerberos in the jvm and you can enable debug >> logs for the SpnegoAuthenticator in tomcat to get more information. >> >> To enable debug log messages in the jvm add >> >> -Dsun.security.krb5.debug=true >> >> to CATALINA_OPTS. The log messages will appear in catalina.out and are >> quite verbose. >> >> To enable debug log messages for SpnegoAuthenticator, add >> >> org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE >> >> to conf/logging.properties in your CATALINA_BASE directory. >> >> Regards, >> Felix >> >> >>> >>> >>> >>> Thanks, >>> Chanchal R. Kariwala >>> Product Engineer >>> Seclore Technology >>> chanchal.kariw...@seclore.com >>> www.seclore.com >>> >>> >>> >>> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat)>>> wrote: >>> >>> On 04.03.2016 07:16, Chanchal Kariwala wrote: I am using Tomcat 8.0.32 and I have followed the guide given at > > - > > > https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) > - > > > https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w > > Windows AD Auth is working i.e. when I access the site, I am asked for > credentials and
Re: Windows Authentication
In response to *George Stanchev*, I tried with Chrome and IE 11, same behavior in both. And yes I tried waffle, but in another webapp. Waffle does not prompt for the credentials. In response to *André Warnier*, I tired that to no avail :( In response to *Felix Schumacher*, It is not a problem with the webapp. I have tried both of what you asked. Tomcat Keytab is authenticated successfully. And KRB debug shows success for the keytab. So here are my additional findings over the weekend. Background - My test AD is virtual. My Domain Controller and client are VMS. 1. *Windows Logon was using NTLM instead of Kerberos* Some article led me to the following assumption : When the browser receives WWW-Authenticate: Negotiate, it asks for the token from the OS Cache. The OS Cache provides it a token that was obtained via NTLM. The Server does not accept that since it specifically wants Kerberos. And hence the browser asks for Credentials again and this time the user is authenticated via Kerberos. And this token is accepted by the Server. 2. *Windows Logon by IP Address uses NTLM* I access the client machine (with tomcat) using RDP via the IP Address. The following question on StackExchange indicates that in such a scenario NTLM is used to logon to the system. See : http://serverfault.com/questions/357975/is-it-possible-to-switch-to-kerberos-only-windows-domain 3. *Kerberos Event Logging* The next thing I was trying to figure was why Windows logon was using NTLM. The above link suggests that there was no way of forcing LSA to use Kerberos only. So now I am looking at the System events, which might suggest which protocol is being used. Also I enabled Kerberos event logging to see if there were any Kerberos Errors. See : https://support.microsoft.com/en-us/kb/262177 Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Sat, Mar 5, 2016 at 3:57 PM, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala: > >> I tries what you asked and I have observed the following >> >> 1. Browser sends a request for the resource >> Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response >> Headers >> >> 2. Browser sends a new request with the following in Request Headers >> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg >> >> Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in >> Response Headers >> >> 3. At this point the browser shows HTTP Basic Auth form and sends the >> following in Headers >> Authorization: Negotiate >> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge >> value, much much longer than the first one*) >> >> Now the Server replies with HTTP 200 and the following in headers >> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 >> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly >> >> So yes WIA is failing.. >> Can you help me out with the next step in debugging? >> > You can enable debugging for kerberos in the jvm and you can enable debug > logs for the SpnegoAuthenticator in tomcat to get more information. > > To enable debug log messages in the jvm add > > -Dsun.security.krb5.debug=true > > to CATALINA_OPTS. The log messages will appear in catalina.out and are > quite verbose. > > To enable debug log messages for SpnegoAuthenticator, add > > org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE > > to conf/logging.properties in your CATALINA_BASE directory. > > Regards, > Felix > > >> >> >> >> Thanks, >> Chanchal R. Kariwala >> Product Engineer >> Seclore Technology >> chanchal.kariw...@seclore.com >> www.seclore.com >> >> >> >> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat)>> wrote: >> >> On 04.03.2016 07:16, Chanchal Kariwala wrote: >>> >>> I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Hi. >>> >>> The real *key* to debugging such issues, is to use some plugin or add-on >>> to the browser, to enable the capture and visualisation of the HTTP >>> dialog >>> back and forth between the browser and the server. >>> Since you are using IE, I
Re: Windows Authentication
Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala: I tries what you asked and I have observed the following 1. Browser sends a request for the resource Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 2. Browser sends a new request with the following in Request Headers Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 3. At this point the browser shows HTTP Basic Auth form and sends the following in Headers Authorization: Negotiate YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge value, much much longer than the first one*) Now the Server replies with HTTP 200 and the following in headers WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly So yes WIA is failing.. Can you help me out with the next step in debugging? You can enable debugging for kerberos in the jvm and you can enable debug logs for the SpnegoAuthenticator in tomcat to get more information. To enable debug log messages in the jvm add -Dsun.security.krb5.debug=true to CATALINA_OPTS. The log messages will appear in catalina.out and are quite verbose. To enable debug log messages for SpnegoAuthenticator, add org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE to conf/logging.properties in your CATALINA_BASE directory. Regards, Felix Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat)wrote: On 04.03.2016 07:16, Chanchal Kariwala wrote: I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Hi. The real *key* to debugging such issues, is to use some plugin or add-on to the browser, to enable the capture and visualisation of the HTTP dialog back and forth between the browser and the server. Since you are using IE, I suggest "Fiddler2". Install it, close your browser, re-open the browser, start Fiddler2 in capture mode, and then do an access to the webserver. When prompted for an id/pw, enter them. Then stop Fiddler2 and examine the HTTP exchanges, starting with your initial request to the webserver. You are correct in thinking that, normally, the login should happen automatically in the background, and you should never see this browser login dialog. WIA authentication is a multiple-step process between the browser and the webserver, and in the background between the webserver and a Domain Controller. That the login dialog appears in your case, means : 1) that the integrated WIA failed 2) that the Domain is configured to allow HTTP Basic authentication in a second step, after WIA fails. That is the login dialog that you see. So, something is not working as it should in the WIA step. But to know exactly what, requires examining the HTTP exchanges. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication
On 04.03.2016 14:40, George Stanchev wrote: It does not look like HTTP Basic. Did you try different browsers? IE, Chrome, FF? Do you get same behavior with all? Is the user logging in member of the domain your IWA is set up to? Did you try /un/-checking the "Enable WIA authentication" checkbox in IE ? (I know it sounds counter-intuitive, but try it). If you set up a 3rd party IWA provider (such as Waffle), does it act the same on all 3 browsers? There was a recent issue with Waffle that one of my developers submitted that was dealing with similar issues [1]. You might want to go over that thread to see it can give you pointers. [1] https://github.com/dblock/waffle/issues/268 -Original Message- From: Chanchal Kariwala [mailto:chanchal.kariw...@seclore.com] Sent: Friday, March 04, 2016 2:52 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Windows Authentication But how does the browser decide on Basic Auth? Usually 401 Response contains WWW-Authenticate: Basic realm="MyREALM" to indicate Basic Auth Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 3:16 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: On 04.03.2016 10:11, Chanchal Kariwala wrote: I tries what you asked and I have observed the following 1. Browser sends a request for the resource Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers Fine. 2. Browser sends a new request with the following in Request Headers Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg Also seems fine. (But difficult to tell, as these tokens are "opaque" by design). Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers But this does not seem ok. It seems that the browser and server are failing to agree on an authentication method, and dropping down to HTTP Basic. 3. At this point the browser shows HTTP Basic Auth form and sends the following in Headers Authorization: Negotiate YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge value, much much longer than the first one*) Now the Server replies with HTTP 200 and the following in headers WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly So yes WIA is failing.. Can you help me out with the next step in debugging? I think at this point, you need to go to your Windows network sysadmins, with the information above, and ask them what is going on. There are just too many possible reasons, in the Windows Domain environment, why this could fail. (browser, browser version, workstation OS version, browser settings, Domain Controller settings, Domain networkn policies, membership of Domain or not, etc.). Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: On 04.03.2016 07:16, Chanchal Kariwala wrote: I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Hi. The real *key* to debugging such issues, is to use some plugin or add-on to the browser, to enable the capture and visualisation of the HTTP dialog back and forth between the browser and the server. Since you are using IE, I suggest "Fiddler2". Install it, close your browser, re-open the browser, start Fiddler2 in capture mode, and then do an access to the webserver. When prompted for an id/pw, enter them. Then stop Fiddler2 and examine the HTTP exchanges, starting with your initial request to the webserver. You are correct in thinking that, normally, the login should happen automatically in the background, and you should never see this browser login dialog. WIA authentication is a multiple-step process between the browser and the webserver, and in the background between the webserver and a Domain Controller. That the login dialog appears in your case, means : 1) that the integrated WIA failed 2) that the Domain is configured to allow HTTP Basic authentication in a second step, after WIA fails. That is the login dialog that you see. So, something is not work
RE: Windows Authentication
It does not look like HTTP Basic. Did you try different browsers? IE, Chrome, FF? Do you get same behavior with all? Is the user logging in member of the domain your IWA is set up to? If you set up a 3rd party IWA provider (such as Waffle), does it act the same on all 3 browsers? There was a recent issue with Waffle that one of my developers submitted that was dealing with similar issues [1]. You might want to go over that thread to see it can give you pointers. [1] https://github.com/dblock/waffle/issues/268 -Original Message- From: Chanchal Kariwala [mailto:chanchal.kariw...@seclore.com] Sent: Friday, March 04, 2016 2:52 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Windows Authentication But how does the browser decide on Basic Auth? Usually 401 Response contains WWW-Authenticate: Basic realm="MyREALM" to indicate Basic Auth Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 3:16 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 04.03.2016 10:11, Chanchal Kariwala wrote: > >> I tries what you asked and I have observed the following >> >> 1. Browser sends a request for the resource Server replies with HTTP >> 401 and WWW-Authenticate: Negotiate in Response Headers >> > > Fine. > > >> 2. Browser sends a new request with the following in Request Headers >> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg >> >> > Also seems fine. (But difficult to tell, as these tokens are "opaque" by > design). > > Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in >> Response Headers >> >> > But this does not seem ok. It seems that the browser and server are > failing to agree on an authentication method, and dropping down to HTTP > Basic. > > > 3. At this point the browser shows HTTP Basic Auth form and sends the >> following in Headers >> Authorization: Negotiate >> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge >> value, much much longer than the first one*) >> >> Now the Server replies with HTTP 200 and the following in headers >> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 >> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly >> >> So yes WIA is failing.. >> Can you help me out with the next step in debugging? >> >> > I think at this point, you need to go to your Windows network sysadmins, > with the information above, and ask them what is going on. > There are just too many possible reasons, in the Windows Domain > environment, why this could fail. (browser, browser version, workstation OS > version, browser settings, Domain Controller settings, Domain networkn > policies, membership of Domain or not, etc.). > > >> >> >> Thanks, >> Chanchal R. Kariwala >> Product Engineer >> Seclore Technology >> chanchal.kariw...@seclore.com >> www.seclore.com >> >> >> >> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) <a...@ice-sa.com> >> wrote: >> >> On 04.03.2016 07:16, Chanchal Kariwala wrote: >>> >>> I am using Tomcat 8.0.32 and I have followed the guide given at >>>> >>>> - >>>> >>>> >>>> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) >>>> - >>>> >>>> >>>> https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w >>>> >>>> Windows AD Auth is working i.e. when I access the site, I am asked for >>>> credentials and when I enter the correct credentials, the restricted >>>> resource is displayed. >>>> >>>> However my question is why the browser is asking for credentials? Why >>>> isn't >>>> it accessing TGT Cache in the OS to fetch the user's credentials? >>>> >>>> I have enabled Integrated Windows Auth in IE Settings. I have added the >>>> site in Intranet Sites and set "Logon by Current User" in Custom Level >>>> setting for Intranet. >>>> >>>> >>>> >>>> Hi. >>> >>> The real *key* to debugging such issues, is to use some plugin or add-on >>> to the browser, to enable the capture and visualisation of the HTTP >>> dialog >>> back and forth between the browser and the server. >>> Since you are using IE, I suggest "Fiddler2". >>> Install it, close your browser, re-open
Re: Windows Authentication
But how does the browser decide on Basic Auth? Usually 401 Response contains WWW-Authenticate: Basic realm="MyREALM" to indicate Basic Auth Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 3:16 PM, André Warnier (tomcat)wrote: > On 04.03.2016 10:11, Chanchal Kariwala wrote: > >> I tries what you asked and I have observed the following >> >> 1. Browser sends a request for the resource >> Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response >> Headers >> > > Fine. > > >> 2. Browser sends a new request with the following in Request Headers >> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg >> >> > Also seems fine. (But difficult to tell, as these tokens are "opaque" by > design). > > Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in >> Response Headers >> >> > But this does not seem ok. It seems that the browser and server are > failing to agree on an authentication method, and dropping down to HTTP > Basic. > > > 3. At this point the browser shows HTTP Basic Auth form and sends the >> following in Headers >> Authorization: Negotiate >> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge >> value, much much longer than the first one*) >> >> Now the Server replies with HTTP 200 and the following in headers >> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 >> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly >> >> So yes WIA is failing.. >> Can you help me out with the next step in debugging? >> >> > I think at this point, you need to go to your Windows network sysadmins, > with the information above, and ask them what is going on. > There are just too many possible reasons, in the Windows Domain > environment, why this could fail. (browser, browser version, workstation OS > version, browser settings, Domain Controller settings, Domain networkn > policies, membership of Domain or not, etc.). > > >> >> >> Thanks, >> Chanchal R. Kariwala >> Product Engineer >> Seclore Technology >> chanchal.kariw...@seclore.com >> www.seclore.com >> >> >> >> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) >> wrote: >> >> On 04.03.2016 07:16, Chanchal Kariwala wrote: >>> >>> I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Hi. >>> >>> The real *key* to debugging such issues, is to use some plugin or add-on >>> to the browser, to enable the capture and visualisation of the HTTP >>> dialog >>> back and forth between the browser and the server. >>> Since you are using IE, I suggest "Fiddler2". >>> Install it, close your browser, re-open the browser, start Fiddler2 in >>> capture mode, and then do an access to the webserver. When prompted for >>> an >>> id/pw, enter them. >>> Then stop Fiddler2 and examine the HTTP exchanges, starting with your >>> initial request to the webserver. >>> >>> You are correct in thinking that, normally, the login should happen >>> automatically in the background, and you should never see this browser >>> login dialog. >>> WIA authentication is a multiple-step process between the browser and the >>> webserver, and in the background between the webserver and a Domain >>> Controller. >>> That the login dialog appears in your case, means : >>> 1) that the integrated WIA failed >>> 2) that the Domain is configured to allow HTTP Basic authentication in a >>> second step, after WIA fails. That is the login dialog that you see. >>> >>> So, something is not working as it should in the WIA step. >>> But to know exactly what, requires examining the HTTP exchanges. >>> >>> >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Windows Authentication
On 04.03.2016 10:11, Chanchal Kariwala wrote: I tries what you asked and I have observed the following 1. Browser sends a request for the resource Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers Fine. 2. Browser sends a new request with the following in Request Headers Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg Also seems fine. (But difficult to tell, as these tokens are "opaque" by design). Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers But this does not seem ok. It seems that the browser and server are failing to agree on an authentication method, and dropping down to HTTP Basic. 3. At this point the browser shows HTTP Basic Auth form and sends the following in Headers Authorization: Negotiate YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge value, much much longer than the first one*) Now the Server replies with HTTP 200 and the following in headers WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly So yes WIA is failing.. Can you help me out with the next step in debugging? I think at this point, you need to go to your Windows network sysadmins, with the information above, and ask them what is going on. There are just too many possible reasons, in the Windows Domain environment, why this could fail. (browser, browser version, workstation OS version, browser settings, Domain Controller settings, Domain networkn policies, membership of Domain or not, etc.). Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat)wrote: On 04.03.2016 07:16, Chanchal Kariwala wrote: I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Hi. The real *key* to debugging such issues, is to use some plugin or add-on to the browser, to enable the capture and visualisation of the HTTP dialog back and forth between the browser and the server. Since you are using IE, I suggest "Fiddler2". Install it, close your browser, re-open the browser, start Fiddler2 in capture mode, and then do an access to the webserver. When prompted for an id/pw, enter them. Then stop Fiddler2 and examine the HTTP exchanges, starting with your initial request to the webserver. You are correct in thinking that, normally, the login should happen automatically in the background, and you should never see this browser login dialog. WIA authentication is a multiple-step process between the browser and the webserver, and in the background between the webserver and a Domain Controller. That the login dialog appears in your case, means : 1) that the integrated WIA failed 2) that the Domain is configured to allow HTTP Basic authentication in a second step, after WIA fails. That is the login dialog that you see. So, something is not working as it should in the WIA step. But to know exactly what, requires examining the HTTP exchanges. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication
I tries what you asked and I have observed the following 1. Browser sends a request for the resource Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 2. Browser sends a new request with the following in Request Headers Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 3. At this point the browser shows HTTP Basic Auth form and sends the following in Headers Authorization: Negotiate YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge value, much much longer than the first one*) Now the Server replies with HTTP 200 and the following in headers WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0 Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly So yes WIA is failing.. Can you help me out with the next step in debugging? Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat)wrote: > On 04.03.2016 07:16, Chanchal Kariwala wrote: > >> I am using Tomcat 8.0.32 and I have followed the guide given at >> >> - >> >> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) >> - >> >> https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w >> >> Windows AD Auth is working i.e. when I access the site, I am asked for >> credentials and when I enter the correct credentials, the restricted >> resource is displayed. >> >> However my question is why the browser is asking for credentials? Why >> isn't >> it accessing TGT Cache in the OS to fetch the user's credentials? >> >> I have enabled Integrated Windows Auth in IE Settings. I have added the >> site in Intranet Sites and set "Logon by Current User" in Custom Level >> setting for Intranet. >> >> >> > Hi. > > The real *key* to debugging such issues, is to use some plugin or add-on > to the browser, to enable the capture and visualisation of the HTTP dialog > back and forth between the browser and the server. > Since you are using IE, I suggest "Fiddler2". > Install it, close your browser, re-open the browser, start Fiddler2 in > capture mode, and then do an access to the webserver. When prompted for an > id/pw, enter them. > Then stop Fiddler2 and examine the HTTP exchanges, starting with your > initial request to the webserver. > > You are correct in thinking that, normally, the login should happen > automatically in the background, and you should never see this browser > login dialog. > WIA authentication is a multiple-step process between the browser and the > webserver, and in the background between the webserver and a Domain > Controller. > That the login dialog appears in your case, means : > 1) that the integrated WIA failed > 2) that the Domain is configured to allow HTTP Basic authentication in a > second step, after WIA fails. That is the login dialog that you see. > > So, something is not working as it should in the WIA step. > But to know exactly what, requires examining the HTTP exchanges. > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Windows Authentication
On 04.03.2016 07:16, Chanchal Kariwala wrote: I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Hi. The real *key* to debugging such issues, is to use some plugin or add-on to the browser, to enable the capture and visualisation of the HTTP dialog back and forth between the browser and the server. Since you are using IE, I suggest "Fiddler2". Install it, close your browser, re-open the browser, start Fiddler2 in capture mode, and then do an access to the webserver. When prompted for an id/pw, enter them. Then stop Fiddler2 and examine the HTTP exchanges, starting with your initial request to the webserver. You are correct in thinking that, normally, the login should happen automatically in the background, and you should never see this browser login dialog. WIA authentication is a multiple-step process between the browser and the webserver, and in the background between the webserver and a Domain Controller. That the login dialog appears in your case, means : 1) that the integrated WIA failed 2) that the Domain is configured to allow HTTP Basic authentication in a second step, after WIA fails. That is the login dialog that you see. So, something is not working as it should in the WIA step. But to know exactly what, requires examining the HTTP exchanges. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows Authentication
I am using Tomcat 8.0.32 and I have followed the guide given at - https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) - https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w Windows AD Auth is working i.e. when I access the site, I am asked for credentials and when I enter the correct credentials, the restricted resource is displayed. However my question is why the browser is asking for credentials? Why isn't it accessing TGT Cache in the OS to fetch the user's credentials? I have enabled Integrated Windows Auth in IE Settings. I have added the site in Intranet Sites and set "Logon by Current User" in Custom Level setting for Intranet. Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com
Re: Windows authentication : outdated link
2015-03-13 15:04 GMT+03:00 André Warnier a...@ice-sa.com: Hi. Errata : In the page http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#References (and also in the corresponding Tomcat 7 page), the link to Geronimo configuration for Windows authentication leads to : https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController which returns : The requested URL /confluence/display/GMOxDOC21/using-spengo-in-geronimo.html was not found on this server. (neither does it work if one replaces the spengo parts by spnego..) Apparently they replaced '-' with '+' and have lost the .html suffix. https://cwiki.apache.org/confluence/display/GMOxDOC21/Using+SPNEGO+in+Geronimo#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows authentication : outdated link
Hi. Errata : In the page http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#References (and also in the corresponding Tomcat 7 page), the link to Geronimo configuration for Windows authentication leads to : https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController which returns : The requested URL /confluence/display/GMOxDOC21/using-spengo-in-geronimo.html was not found on this server. (neither does it work if one replaces the spengo parts by spnego..) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows authentication : outdated link
2015-03-13 15:13 GMT+03:00 Konstantin Kolinko knst.koli...@gmail.com: 2015-03-13 15:04 GMT+03:00 André Warnier a...@ice-sa.com: Hi. Errata : In the page http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#References (and also in the corresponding Tomcat 7 page), the link to Geronimo configuration for Windows authentication leads to : https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController which returns : The requested URL /confluence/display/GMOxDOC21/using-spengo-in-geronimo.html was not found on this server. (neither does it work if one replaces the spengo parts by spnego..) Apparently they replaced '-' with '+' and have lost the .html suffix. https://cwiki.apache.org/confluence/display/GMOxDOC21/Using+SPNEGO+in+Geronimo#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine I updated the docs in Tomcat 9/8/7. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Built-in Tomcat Support for Windows Authentication
Alright, thanks. We will try once more from scratch. -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: donderdag 23 oktober 2014 20:42 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 23.10.2014 um 11:07 schrieb Philippe Wijdh: Hi, Thank you for the response. The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome. The command kinit on the Tomcat server returns the following C:\MyPrograms\Tomcat7\confset KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true - k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL HTTP/v3tcat4ad.assai.nl:8...@assai.nl is the wrong spn. You have to use one without the port number (as described in the docs). Maybe it would be best to follow Mark's advice and start with a fresh system and follow step for step the documentation. Felix KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl Kinit using keytab Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Kinit realm name is ASSAI.NL Creating KrbAsReq KrbKdcReq local addresses for V3TCAT4AD are: V3TCAT4AD/10.1.0.67 IPv4 address V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=198 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=198 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000 suSec is 776700 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=283 KrbKdcReq send: #bytes read=88 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt es=283 DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes read=1496 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser C:\MyPrograms
RE: Built-in Tomcat Support for Windows Authentication
Thanks Terrence, We will have a look at Waffle as well. Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: woensdag 22 oktober 2014 18:56 To: Tomcat Users List Subject: Built-in Tomcat Support for Windows Authentication On 10/22/2014 4:40 AM, Philippe Wijdh wrote: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Hi, Philippe- I have not used the built-in Tomcat Windows authentication but have had success using Waffle in a similar configuration. You might try that if all else fails. -Terence Bandoian Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt
Re: Built-in Tomcat Support for Windows Authentication
On 22/10/2014 10:40, Philippe Wijdh wrote: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. The documentation is complete. If you follow the steps in that document then you will end up with a working system. Either you aren't following the documentation or something in your environment differs from that described in the document. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. You haven't provided any information on the Realm configuration or how you have secured the page you are trying to test with. You might have hit https://issues.apache.org/bugzilla/show_bug.cgi?id=57022 There are lots of configuration steps listed in the docs you haven't mentioned. Mark Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement
RE: Built-in Tomcat Support for Windows Authentication
Hi, Thank you for the response. The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome. The command kinit on the Tomcat server returns the following C:\MyPrograms\Tomcat7\confset KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true - k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl Kinit using keytab Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Kinit realm name is ASSAI.NL Creating KrbAsReq KrbKdcReq local addresses for V3TCAT4AD are: V3TCAT4AD/10.1.0.67 IPv4 address V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=198 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=198 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000 suSec is 776700 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=283 KrbKdcReq send: #bytes read=88 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt es=283 DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes read=1496 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser C:\MyPrograms\Tomcat7\confklist Current LogonId is 0:0x13380b5c Cached Tickets: (0) Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: donderdag 23 oktober 2014 7:53 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http
Re: Built-in Tomcat Support for Windows Authentication
...@internetallee.de] Sent: donderdag 23 oktober 2014 7:53 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Haven't seen that recommendation in the tomcat documentation. Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) You will have to use the spn without the port. Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 What is inside your keytab? KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 This is the wrong spn. The port number should not be there. Regards Felix Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default
Built-in Tomcat Support for Windows Authentication
Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send
Built-in Tomcat Support for Windows Authentication
On 10/22/2014 4:40 AM, Philippe Wijdh wrote: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Hi, Philippe- I have not used the built-in Tomcat Windows authentication but have had success using Waffle in a similar configuration. You might try that if all else fails. -Terence Bandoian Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23
Auto-Re: Built-in Tomcat Support for Windows Authentication
ëN8ãx×}ëÝüßøÔ*'µéíO*^µìmþZw!j»
Re: Built-in Tomcat Support for Windows Authentication
Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Haven't seen that recommendation in the tomcat documentation. Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) You will have to use the spn without the port. Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 What is inside your keytab? KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 This is the wrong spn. The port number should not be there. Regards Felix Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18
Re: Tomcat windows authentication domain login issue
Tantaryu, The problem currently is that you messages appear to the list readers, as pretty unreadable blobs of text. Not many of the busy people here will feel motivated enough to decrypt/reformat them, before they understand even the basics of your questions. Since you are the one who needs help, making it easier for someone to provide it is the way to go. If such an option is available in your email client, please select send messages as plain text. If it is not available, install Thunderbird or similar and try again. If everything else fails, inserting a blank line between each of the real lines of text /may/ help. Next, do not send your configuration snippets as attachments. Paste them directly in the email to the list (also as plain text of course). Next, do not top-post. Respond below the message portion to which you are responding. It helps keeping a natural flow to the the conversation. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
By the way, this is using tomcat 8 and it's running on Linux. Windows machines are the AD server and the client. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023860.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 Could you try to add the missing newlines? It is really hard to read the text without them. Regards Felix KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Tue, 14 Oct 2014 18:03:07 -0700 From: ml-node+s10n5023854...@n6.nabble.com To: ming...@outlook.com Subject: RE: Tomcat windows authentication domain login issue From: tantaryu [mailto:[hidden email]] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] If you reply to this email, your message will be added to the discussion below: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
RE: Tomcat windows authentication domain login issue
Let's hope it works this time. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: ml-node+s10n5023861...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACME
Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu: Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true; }; com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: ml-node+s10n5023861...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required debug=truedoNotPrompt=trueprincipal=HTTP/Client2
RE: Tomcat windows authentication domain login issue
Okay, this might sounds funny. But how do I add a newlines? Date: Wed, 15 Oct 2014 01:37:42 -0700 From: ml-node+s10n5023863...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 10:22 schrieb tantaryu: Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: [hidden email] To: [hidden email] Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4
RE: Tomcat windows authentication domain login issue
Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu ming...@outlook.com: Okay, this might sounds funny. But how do I add a newlines? I don't know how to do it in your mail client. But generally I would try to configure it to not use html (only). You could try another mal Client or provider. Maybe it has saner defaults. Regards Felix Date: Wed, 15 Oct 2014 01:37:42 -0700 From: ml-node+s10n5023863...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 10:22 schrieb tantaryu: Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: [hidden email] To: [hidden email] Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm
Re: Tomcat windows authentication domain login issue
Am 14.10.2014 um 05:32 schrieb tantaryu: I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following Maybe it is just me, but I can't see, what you have added. Did you send your mail as html? If so, try to send it as text again. Regards Felix . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Oh, let me try again. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change to and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in HTML Format option. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:ming...@outlook.com] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Tue, 14 Oct 2014 18:03:07 -0700 From: ml-node+s10n5023854...@n6.nabble.com To: ming...@outlook.com Subject: RE: Tomcat windows authentication domain login issue From: tantaryu [mailto:[hidden email]] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] If you reply to this email, your message will be added to the discussion below: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html To unsubscribe from Tomcat windows authentication domain login issue, click here
Tomcat windows authentication domain login issue
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: I need help in configuring windows authentication in tomcat 7.0
On 21/03/2013 23:49, chris derham wrote: Context RealmclassName=org.apache.catalina.realm.JNDIRealm adCompat=true allRolesMode=authOnly referrals=follow connectionURL=ldap://dc01.mydom.local:389; connectionName=mydom\tcuser connectionPassword=Pa55w0rd userBase=dc=mydom,dc=local userSubtree=true userSearch=(sAMAccountName={0}) roleBase=ou=groups,ou=myappl,dc=mydom,dc=local roleName=cn roleSearch=(member={0}) roleSubtree=true / /Context This has come up multiple times on the mailing list - essentially it can not/should not be done. Please see http://wiki.apache.org/tomcat/FAQ/Password for details While generally that is correct, JNDIRealm plus Windows authentication is a special case. It should be possible to remove the connectionName and connectionPassword attributes from the above configuration. See the JNDI docs and the useDelegatedCredential attribute in particular. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
I need help in configuring windows authentication in tomcat 7.0
I want to setup windows authentication in my tomcat 7.0.37 I read the user guide http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and I follow all the step in Domain Controller and Tomcat Instance Then I write the $CATALINA_BASE\webapps\myappl\WEB-INF\web.xml and the $CATALINA_BASE\webapps\myappl\META-INF\context.xml as below The question is: How can I remove connectionName and connectionPassword from the context.xml file? Without the 2 element authentication doesn't work but in a production environment I cannot put password in clear text 1st file web.xml - web-app display-nameTest Appl/display-name descriptionWritten by Bob/description security-constraint display-nameBob Appl Security Constraint/display-name web-resource-collection web-resource-namePrivate Zone/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namerole1/role-name /auth-constraint /security-constraint login-config auth-methodSPNEGO/auth-method /login-config security-role role-namerole1/role-name role-namerole2/role-name role-namerole3/role-name /security-role /web-app 2nd file context.xml - Context RealmclassName=org.apache.catalina.realm.JNDIRealm adCompat=true allRolesMode=authOnly referrals=follow connectionURL=ldap://dc01.mydom.local:389; connectionName=mydom\tcuser connectionPassword=Pa55w0rd userBase=dc=mydom,dc=local userSubtree=true userSearch=(sAMAccountName={0}) roleBase=ou=groups,ou=myappl,dc=mydom,dc=local roleName=cn roleSearch=(member={0}) roleSubtree=true / /Context - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: I need help in configuring windows authentication in tomcat 7.0
Context RealmclassName=org.apache.catalina.realm.JNDIRealm adCompat=true allRolesMode=authOnly referrals=follow connectionURL=ldap://dc01.mydom.local:389; connectionName=mydom\tcuser connectionPassword=Pa55w0rd userBase=dc=mydom,dc=local userSubtree=true userSearch=(sAMAccountName={0}) roleBase=ou=groups,ou=myappl,dc=mydom,dc=local roleName=cn roleSearch=(member={0}) roleSubtree=true / /Context This has come up multiple times on the mailing list - essentially it can not/should not be done. Please see http://wiki.apache.org/tomcat/FAQ/Password for details Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Manager App not working with Windows authentication enabled
Harris Mark R wrote: Sorry, guess I was not clear enough. We are using Microsoft's IIS to front-end Tomcat, not the Apache HTTP server. Apache HTTP server is not an option for our environment. We would prefer to use the Windows authenticated user passed to Tomcat by IIS, but are open to anything that works reliably. It's my turn to apologise. That was clear in your original post, I just misread that. It is the same however with IIS. If the user is authenticated by IIS, and you set tomcatAuthentication=false, then Tomcat will take the user-id from what the IIS/AJP module is passing on from IIS, and it will not redo the user authentication by himself (him being Tomcat). As I said, our custom application is working great in this environment, but the manager app is not. We are having trouble associating the roles that the manager app is expecting with the authenticated user. We have tried altering the tomcat-users file just about every which way we could think of. Essentially we need any way to associate the authenticated user with the manager-gui that the manager app is expecting. Would we need to implement a custom realm to make this work? Yes, I think that you understand the issue correctly. Tomcat's standard user access control to an application is based on the concept of roles. You tell Tomcat that any users who has a role xxx can access that application. So Tomcat needs a way, given the present user-id, to find out if that user-id has this role (isUserInRole() ?). Unfortunately, what AJP passes to Tomcat is only a user-id, not any kind of roles information that this user has. I suppose that Tomcat somehow must use a Realm to get that kind of information, and I do not know if this Realm is capable of providing that information if it has not authenticated this user by itself. Maybe there is a way to tell Tomcat, for the manager application, to just check the user-id, and not the role ? I suppose that the right place to check would be the applicable Servlet Specification, in the web.xml/auth-constraints paragraph. How do you do it for your other application, the one that works ? On a totally different track, if you want to use WIA anyway, you may want to have a look at Jespa, at http://www.ioplex.com. It's a totally different authentication and security approach. based on a servlet filter in Tomcat which authenticates the Windows user directly at the Tomcat level, not on the base of the id that IIS determines (and AJP passes on). Jespa is capable of translating the concept of Windows users groups into Tomcat roles. One advantage of that approach is that you would have the various Tomcat roles managed at the same place as the other user-management functions (on the Windows domain AD server), and not have a different set of user information for Tomcat alone. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Manager App not working with Windows authentication enabled
Environment: IIS 7.5 Tomcat 7.037 AJP/1.3 connector (redirector.dll) v 1.2 Java 7 We have a requirement for a new intranet application that it use Windows authentication. We have this working in our new application. We do have IIS, the connector and Tomcat serving up the application with no problems. What did happen is that we discovered that the manager application that comes with Tomcat no longer is accessible. We have some staff that use the manager app routinely. We did try to set up two AJP connectors, one defined in the server.xml with tomcatAuthentication=true and another set to false. In the AJP property files we set the second one to only be mapped to the manager URL. This did not work as we expected. Anyone have any ideas on how to get the manager application working? Excerpt from server.xml: ___ GlobalNamingResources Resource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=E:\Tomcat\32Bit\7.0.37\conf\tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources Service name=Catalina Connector connectionTimeout=12000 maxThreads=300 port=1 protocol=AJP/1.3 tomcatAuthentication=false/ Connector connectionTimeout=12000 maxThreads=300 port=10005 protocol=AJP/1.3 tomcatAuthentication=true/ Connector connectionTimeout=2 port=9080 protocol=HTTP/1.1 redirectPort=8443/ Engine defaultHost=localhost jvmRoute=WA1 name=Catalina Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service Excerpt from worker.properties file __ worker.list=WA1,MGR worker.WA1.type=ajp13 worker.WA1.host=localhost worker.WA1.port=1 worker.WA1.connection_pool_size=300 worker.WA1.connection_pool_timeout=12 worker.MGR.type=ajp13 worker.MGR.host=localhost worker.MGR.port=10005 worker.MGR.connection_pool_size=300 worker.MGR.connection_pool_timeout=12 Excerpt from uriworkermap.properties: ___ /manager|/*=MGR R. Mark Harris
Re: Manager App not working with Windows authentication enabled
Harris Mark R wrote: Environment: IIS 7.5 Tomcat 7.037 AJP/1.3 connector (redirector.dll) v 1.2 Java 7 We have a requirement for a new intranet application that it use Windows authentication. We have this working in our new application. We do have IIS, the connector and Tomcat serving up the application with no problems. What did happen is that we discovered that the manager application that comes with Tomcat no longer is accessible. We have some staff that use the manager app routinely. We did try to set up two AJP connectors, one defined in the server.xml with tomcatAuthentication=true and another set to false. In the AJP property files we set the second one to only be mapped to the manager URL. This did not work as we expected. Setting tomcatAuthentication=false in this case means that Tomcat is going to rely on the authenticated user-id sent to it by the front-end, through AJP. So you should authenticate the user at the Apache httpd front-end level. Anyone have any ideas on how to get the manager application working? How would you like the users of the manager application to be authenticated ? also via Windows Integrated Authentication, or at the Apache httpd level, via some other mechanism ? For a simple case, you could for example do this at the Apache httpd level : Location /manager setHandler jakarta-servlet AuthType Basic AuthName tomcat-manager require user x y z ... ... /Location (and set tomcatAuthentication=false) (setHandler jakarta-servlet in that Location section is roughly equivalent to JkMount /manager worker1) This syntax is explained in one of the on-line AJP connector's info pages on the tomcat website, at the very end of the page. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Manager App not working with Windows authentication enabled
Sorry, guess I was not clear enough. We are using Microsoft's IIS to front-end Tomcat, not the Apache HTTP server. Apache HTTP server is not an option for our environment. We would prefer to use the Windows authenticated user passed to Tomcat by IIS, but are open to anything that works reliably. As I said, our custom application is working great in this environment, but the manager app is not. We are having trouble associating the roles that the manager app is expecting with the authenticated user. We have tried altering the tomcat-users file just about every which way we could think of. Essentially we need any way to associate the authenticated user with the manager-gui that the manager app is expecting. Would we need to implement a custom realm to make this work? - Mark Harris - -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, March 19, 2013 3:28 PM To: Tomcat Users List Subject: Re: Manager App not working with Windows authentication enabled Harris Mark R wrote: Environment: IIS 7.5 Tomcat 7.037 AJP/1.3 connector (redirector.dll) v 1.2 Java 7 We have a requirement for a new intranet application that it use Windows authentication. We have this working in our new application. We do have IIS, the connector and Tomcat serving up the application with no problems. What did happen is that we discovered that the manager application that comes with Tomcat no longer is accessible. We have some staff that use the manager app routinely. We did try to set up two AJP connectors, one defined in the server.xml with tomcatAuthentication=true and another set to false. In the AJP property files we set the second one to only be mapped to the manager URL. This did not work as we expected. Setting tomcatAuthentication=false in this case means that Tomcat is going to rely on the authenticated user-id sent to it by the front-end, through AJP. So you should authenticate the user at the Apache httpd front-end level. Anyone have any ideas on how to get the manager application working? How would you like the users of the manager application to be authenticated ? also via Windows Integrated Authentication, or at the Apache httpd level, via some other mechanism ? For a simple case, you could for example do this at the Apache httpd level : Location /manager setHandler jakarta-servlet AuthType Basic AuthName tomcat-manager require user x y z ... ... /Location (and set tomcatAuthentication=false) (setHandler jakarta-servlet in that Location section is roughly equivalent to JkMount /manager worker1) This syntax is explained in one of the on-line AJP connector's info pages on the tomcat website, at the very end of the page. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
All systems are domain-joined to a mature IT Lab and the issue is with the Tomcat server configuration as it should load the krb5.ini and or jaas.conf and activity should be observable on the Web server - whether or not any error is generated. It is not clear to me what the design load process / order of the call stack should be in the SPNEGO Authentication design. This would help focus on where the issue is. I ran Process Monitor during a Network Client PC TCP session to the Tomcat Web Server as well as during start of the Tomcat Web service. During either of these I don’t observe any calls to jaas.conf, or krb5.ini. What should initiate loading of these and at what point should they load? Observation Notes: Process Monitor for Tomcat7.exe when browsing to http://server/SPNEGOAuthTest.jsp shows in summary TCP Accept: Server - PC TCP Receive: Server - PC CreateFile: .\Tomcat7.0\webapps\ROOT\SPNEGOAuthTest.jsp QueryNetworkOpenInformationFile: CloseFile: CreateFile:... CreateFile: .\ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class CloseFole . \ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class ... TCP Send: Server - PC In the SPNEGOAuthTest.jsp HTML response: request.getRemoteUser() response shows value of “Nul” request.getRemoteAddr() does show the IP address of the PC Process Monitor during Tomcat Service start - Calls are shown to .\conf\server.xml mbeans-descriptors.xml .\conf\tomcat-users.xml .\conf\context.xml .\conf\web.xml Again no calls to jaas.conf, or krb5.ini Date: Thu, 28 Feb 2013 06:42:35 -0800 From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit On 28/02/2013 02:18, Chris Fors wrote: Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. As expected from what you have described. If there are no security constraints on a resource, Tomcat isn't going to require authentication. Anyone had success with this ? Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 1 client) where this feature works. Any ideas on what is missing?Is there a good way to debug the process? See above. I'd expect to see some changes to the webapp. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. Anyone had success with this ? Any ideas on what is missing?Is there a good way to debug the process? Thanks
Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
Chris Fors wrote: Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. Anyone had success with this ? Any ideas on what is missing?Is there a good way to debug the process? What is the OS platform ? To debug the process : other than what you already did above, a network trace with Wireshark or similar ? (should be SMB exchanges I suppose) Another couple of questions : - is the client workstation that accesses the Tomcat server, itself in the Domain to which you are trying to authenticate ? - from the point of view of that workstation and its browser, is that Tomcat server considered as inside the Domain, or at least trusted ? (because if not, then the browser will not even /try/ to use WIA authentication) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
On 28/02/2013 02:18, Chris Fors wrote: Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. As expected from what you have described. If there are no security constraints on a resource, Tomcat isn't going to require authentication. Anyone had success with this ? Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 1 client) where this feature works. Any ideas on what is missing?Is there a good way to debug the process? See above. I'd expect to see some changes to the webapp. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does windows authentication works on Tomcat under Linux.
Denis wrote: Hello, I want to use Tomcat's Windows Authentication http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries feature to have a reliable domain user name via HTTPServletRequest.getRemoteUser() within my servlet. Questions: 1) Is Tomcat's Windows authentication supposed to work in my env? * Application Server: apache-tomcat-7.0.21 * JDK version: 1.6.0_26 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga) 2) Any additional setup required to be able to access domain username via HTTPServletRequest.getRemoteUser() within my servlet? Hi. I do not know either if the above is supposed to work also under Linux as a platform. It is not very clear in the Tomcat docs, and I have asked a couple of times on the list without getting much of an answer. (Probably because few people know). Now just in case it doesn't work, the following works fine under Linux as well as under Windows : Jespa , at www.ioplex.com You can download it and test it for 60 days free, and the final license costs are very moderate. (I have no commercial interest in that, I just use it happily). For Jespa, the answers to your questions are : 1) yes, it will work 2) apart from the setup of Jespa itself, no additional setup or change in the app is required. The setup of Jespa does require the intervention of a sysadmin at the site though, because it requires creating a Windows machine account for Jespa. See the doc, also available for download. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does windows authentication works on Tomcat under Linux.
On 25/02/2013 10:48, André Warnier wrote: Denis wrote: Hello, I want to use Tomcat's Windows Authentication http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries feature to have a reliable domain user name via HTTPServletRequest.getRemoteUser() within my servlet. Questions: 1) Is Tomcat's Windows authentication supposed to work in my env? * Application Server: apache-tomcat-7.0.21 * JDK version: 1.6.0_26 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga) 2) Any additional setup required to be able to access domain username via HTTPServletRequest.getRemoteUser() within my servlet? Hi. I do not know either if the above is supposed to work also under Linux as a platform. It is not very clear in the Tomcat docs, and I have asked a couple of times on the list without getting much of an answer. (Probably because few people know). It should work but I haven't tested it. I suggest opening an enhancement request for the docs to be updated to include a known working Linux config. I should be able to take a look at doing that once I get back from ApacheCon next week. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does windows authentication works on Tomcat under Linux.
It will be helpful for those who don't have time to try-and-fail. On 2/25/2013 2:10 PM, Mark Thomas wrote: On 25/02/2013 10:48, André Warnier wrote: Denis wrote: Hello, I want to use Tomcat's Windows Authentication http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries feature to have a reliable domain user name via HTTPServletRequest.getRemoteUser() within my servlet. Questions: 1) Is Tomcat's Windows authentication supposed to work in my env? * Application Server: apache-tomcat-7.0.21 * JDK version: 1.6.0_26 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga) 2) Any additional setup required to be able to access domain username via HTTPServletRequest.getRemoteUser() within my servlet? Hi. I do not know either if the above is supposed to work also under Linux as a platform. It is not very clear in the Tomcat docs, and I have asked a couple of times on the list without getting much of an answer. (Probably because few people know). It should work but I haven't tested it. I suggest opening an enhancement request for the docs to be updated to include a known working Linux config. I should be able to take a look at doing that once I get back from ApacheCon next week. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On Mon, Mar 28, 2011 at 7:26 AM, Stefan Mayr ste...@mayr-stefan.de wrote: Hello everybody, as many others before we wanted to do single-sign-on for intranet web applications using integrated windows authentication (negotiate because IE sometimes tries NTLM instead of using plain kerberos - breaking all our kerberos-only experiments). We thought that IIS would be the best choice for integrated windows authentication and we could pass the user via AJP (using mod_jk) to our tomcat instances. Our setup: - Windows 2008 R2 using IIS 7.5 (64bit) - mod_jk 1.2.31 - Oracle Java 1.6 U24 - Tomcat 6.0.32 At first glance using tomcatAuthentication=false worked as expected. We got the remote user and started deploying an application. End of happiness - the application complained about a missing user-agent. That header was not passed to tomcat when authentication was enabled on IIS. Some research revealed Bug 47679 - Not all headers get passed to Tomcat server from isapi_redirect.dll (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679) Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last comment links a new Windows Authentication How-To from Mark Thomas. Looks like we have already tried almost all proposed solutions: - IIS + mod_jk: tried but stuck in Bug 47679. Also tried ARR to pass the user name as a request header from IIS to Tomcat without success - Apache mod_ntlm: used it and we replaced it by the much more stable mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit plattform - we couldn't get stability problems solved on Apache 2.2 and 64bit Linux. No ongoing development. - Apache mod_auth_sspi: till now in internal use for a very small project (works just fine), not sure about the future. Although there seems to be some new activity on 1.0.5 beta - Waffle: found it on thursday and it is on my our todo-list for testing it next week Any chances to get Bug 47679 solved? How can we help (we are admins, no devs)? What solutions have you deployed? Recommendations? I've committed a fix for Bug 47679, which I hope will resolve the issues people have been having using the ISAPI redirector in an extension only mode. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. If you are in a hurry, you may want to have a look at Jespa : www.ioplex.com. Have it installed at numerous customers sites and works great. About the sequence of rewrite/forward with IIS, have a look at isapi_rewrite : http://www.helicontech.com/isapi_rewrite/doc/ It can pick up the user's Windows domain user-id, and pass it on as a HTTP header. You would then need a simple servlet filter at the Tomcat level, to pick up the content of this header and use it as the authenticated Tomcat user-id. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On 28/03/2011 22:31, Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. little hopefully means the next week or so in a 7.0.12 release. I have a handful of things I need/want to get into 7.0.12 and SPNEGO is one of them. Having spent more time than I want to think about and having lost count of the number of times I re-installed Windows 2k8 server to test this, I finally got this working a few minutes ago. The current code is *very* rough and ready and it only does authentication, not authorisation so I still have some work to do. The solution is based on ideas from Spring Security's Kerberos extension and the most recent patches attached to bug 48685. I'll be committing an initial implementation once I have cleaned up the code a bit and then I'll build on that to add authorisation, more configuration etc. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On 29/03/2011 15:20, Mark Thomas wrote: On 28/03/2011 22:31, Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. little hopefully means the next week or so in a 7.0.12 release. I have a handful of things I need/want to get into 7.0.12 and SPNEGO is one of them. Having spent more time than I want to think about and having lost count of the number of times I re-installed Windows 2k8 server to test this, I finally got this working a few minutes ago. The current code is *very* rough and ready and it only does authentication, not authorisation so I still have some work to do. The solution is based on ideas from Spring Security's Kerberos extension and the most recent patches attached to bug 48685. I'll be committing an initial implementation once I have cleaned up the code a bit and then I'll build on that to add authorisation, more configuration etc. The first part just got committed [1]. More to follow over the next day or so. Mark [1] http://svn.apache.org/viewvc?rev=1086683view=rev - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Would adding support for client credential delegation be out of scope for this implementation or not? Client credential delegation is when you use the spnego token construct a javax.security.auth.Subject instance that represents the client - which the server side application can use this to impersonate the client (eg. connect to some Kerberized database as the client that sent the request, or consume some other kerberized service as the client). The code for creating such a Subject would be something like this: GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null); context.acceptSecContext(...); //check if the credentials can be delegated if (!context.getCredDelegState()) { //get the delegated credentials from the calling peer... GSSCredential clientCred = context.getDelegCred(); //Create a Subject out of the delegated credentials. //With this Subject the application server can impersonate the client that sent the request. Subject clientSubject = com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(), clientCred); } //Store the clientSubject somewhere - maybe to the HttpServletRequest? I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas ma...@apache.org wrote: On 29/03/2011 15:20, Mark Thomas wrote: On 28/03/2011 22:31, Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. little hopefully means the next week or so in a 7.0.12 release. I have a handful of things I need/want to get into 7.0.12 and SPNEGO is one of them. Having spent more time than I want to think about and having lost count of the number of times I re-installed Windows 2k8 server to test this, I finally got this working a few minutes ago. The current code is *very* rough and ready and it only does authentication, not authorisation so I still have some work to do. The solution is based on ideas from Spring Security's Kerberos extension and the most recent patches attached to bug 48685. I'll be committing an initial implementation once I have cleaned up the code a bit and then I'll build on that to add authorisation, more configuration etc. The first part just got committed [1]. More to follow over the next day or so. Mark [1] http://svn.apache.org/viewvc?rev=1086683view=rev - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Whoops, i reversed the condition of the if statement, it should be: //check if the credentials can be delegated if (context.getCredDelegState()) { ... } On Tue, Mar 29, 2011 at 9:47 PM, Borut Hadžialić borut.hadzia...@gmail.com wrote: Would adding support for client credential delegation be out of scope for this implementation or not? Client credential delegation is when you use the spnego token construct a javax.security.auth.Subject instance that represents the client - which the server side application can use this to impersonate the client (eg. connect to some Kerberized database as the client that sent the request, or consume some other kerberized service as the client). The code for creating such a Subject would be something like this: GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null); context.acceptSecContext(...); //check if the credentials can be delegated if (!context.getCredDelegState()) { //get the delegated credentials from the calling peer... GSSCredential clientCred = context.getDelegCred(); //Create a Subject out of the delegated credentials. //With this Subject the application server can impersonate the client that sent the request. Subject clientSubject = com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(), clientCred); } //Store the clientSubject somewhere - maybe to the HttpServletRequest? I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas ma...@apache.org wrote: On 29/03/2011 15:20, Mark Thomas wrote: On 28/03/2011 22:31, Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. little hopefully means the next week or so in a 7.0.12 release. I have a handful of things I need/want to get into 7.0.12 and SPNEGO is one of them. Having spent more time than I want to think about and having lost count of the number of times I re-installed Windows 2k8 server to test this, I finally got this working a few minutes ago. The current code is *very* rough and ready and it only does authentication, not authorisation so I still have some work to do. The solution is based on ideas from Spring Security's Kerberos extension and the most recent patches attached to bug 48685. I'll be committing an initial implementation once I have cleaned up the code a bit and then I'll build on that to add authorisation, more configuration etc. The first part just got committed [1]. More to follow over the next day or so. Mark [1] http://svn.apache.org/viewvc?rev=1086683view=rev - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On 29/03/2011 20:47, Borut Hadžialić wrote: Would adding support for client credential delegation be out of scope for this implementation or not? It is in scope with the caveat - as always - that it depends on what the final implementation looks like. I do know (from debug logging) that right now tokens do not allow delegation. I suspect the hardest part of implementing this will be figuring out what config needs tweaking to allow that. //Store the clientSubject somewhere - maybe to the HttpServletRequest? That needs a little more thought. I am leaning towards a request attribute at the moment unless I can find a way to get it into the result of getUserPrincipal() (which I don't think I can without requiring a cast to a Tomcat internal class which is just horrible). I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. Testing help always appreciated if you are happy running the latest 7.0.x release (this should be in 7.0.12 which I plan to start releasing just as soon as I finish everything on my todo list). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On Tue, Mar 29, 2011 at 9:57 PM, Mark Thomas ma...@apache.org wrote: It is in scope with the caveat - as always - that it depends on what the final implementation looks like. I do know (from debug logging) that right now tokens do not allow delegation. I suspect the hardest part of implementing this will be figuring out what config needs tweaking to allow that. I think that credential delegation is configured at the domain controller and client side, as this nice article describes: http://spnego.sourceforge.net/credential_delegation.html I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. Testing help always appreciated if you are happy running the latest 7.0.x release (this should be in 7.0.12 which I plan to start releasing just as soon as I finish everything on my todo list). We already have some hand written custom code for this. We will not be switching to 7.0.x (we will be deploying to tcServer in producion, and it will probably take lots of time for 7.0.12 changes to appear in some version of tcServer, so we need the custom code we have at the moment). I might however try to deploy our app to 7.0.12 when it is out - and see how much of our custom code will get removed by this spnego support that you are writing now. -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On 29/03/2011 21:18, Borut Hadžialić wrote: On Tue, Mar 29, 2011 at 9:57 PM, Mark Thomas ma...@apache.org wrote: It is in scope with the caveat - as always - that it depends on what the final implementation looks like. I do know (from debug logging) that right now tokens do not allow delegation. I suspect the hardest part of implementing this will be figuring out what config needs tweaking to allow that. I think that credential delegation is configured at the domain controller and client side, as this nice article describes: http://spnego.sourceforge.net/credential_delegation.html Thanks. That is one of the many articles I have read over the last few days but I had forgotten which ones mentioned what. I'll take a look. I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. Testing help always appreciated if you are happy running the latest 7.0.x release (this should be in 7.0.12 which I plan to start releasing just as soon as I finish everything on my todo list). We already have some hand written custom code for this. We will not be switching to 7.0.x (we will be deploying to tcServer in producion, and it will probably take lots of time for 7.0.12 changes to appear in some version of tcServer, so we need the custom code we have at the moment). Fair enough. off-topic With my VMware hat on that is is probably going to be sooner than you think it is but I can't give you any firm dates. /off-topic I might however try to deploy our app to 7.0.12 when it is out - and see how much of our custom code will get removed by this spnego support that you are writing now. That would be great. Any testing and feedback is always helpful. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Hellos Stefan, if you can't fix your problem with configuration and decide that you want to solve the problem by programming, then this might help you http://blog.springsource.com/2009/09/28/spring-security-kerberos/ After understanding that article a developer should be able to add a SPNEGO implementation (probably not the whole protocol, just as much it is needed for your app) to your Tomcat application by adding some filters. What the implementation needs to do is basically: 1. If there is a 'Negotiate ..' http header or other authentication, read it and process it. 2. Otherwise if there is no authentication, send a spnego challenge //HttpServletResponse response response.addHeader(WWW-Authenticate, Negotiate); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.flushBuffer(); On Sun, Mar 27, 2011 at 8:26 PM, Stefan Mayr ste...@mayr-stefan.de wrote: Hello everybody, as many others before we wanted to do single-sign-on for intranet web applications using integrated windows authentication (negotiate because IE sometimes tries NTLM instead of using plain kerberos - breaking all our kerberos-only experiments). We thought that IIS would be the best choice for integrated windows authentication and we could pass the user via AJP (using mod_jk) to our tomcat instances. Our setup: - Windows 2008 R2 using IIS 7.5 (64bit) - mod_jk 1.2.31 - Oracle Java 1.6 U24 - Tomcat 6.0.32 At first glance using tomcatAuthentication=false worked as expected. We got the remote user and started deploying an application. End of happiness - the application complained about a missing user-agent. That header was not passed to tomcat when authentication was enabled on IIS. Some research revealed Bug 47679 - Not all headers get passed to Tomcat server from isapi_redirect.dll (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679) Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last comment links a new Windows Authentication How-To from Mark Thomas. Looks like we have already tried almost all proposed solutions: - IIS + mod_jk: tried but stuck in Bug 47679. Also tried ARR to pass the user name as a request header from IIS to Tomcat without success - Apache mod_ntlm: used it and we replaced it by the much more stable mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit plattform - we couldn't get stability problems solved on Apache 2.2 and 64bit Linux. No ongoing development. - Apache mod_auth_sspi: till now in internal use for a very small project (works just fine), not sure about the future. Although there seems to be some new activity on 1.0.5 beta - Waffle: found it on thursday and it is on my our todo-list for testing it next week Any chances to get Bug 47679 solved? How can we help (we are admins, no devs)? What solutions have you deployed? Recommendations? Thank you, Stefan Mayr - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On 28/03/2011 08:42, Borut Hadžialić wrote: Hellos Stefan, if you can't fix your problem with configuration and decide that you want to solve the problem by programming, then this might help you http://blog.springsource.com/2009/09/28/spring-security-kerberos/ After understanding that article a developer should be able to add a SPNEGO implementation (probably not the whole protocol, just as much it is needed for your app) to your Tomcat application by adding some filters. Or you could just add Spring Security to your app. I'll add that as an option to the new How-To. Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last comment links a new Windows Authentication How-To from Mark Thomas. Looks like we have already tried almost all proposed solutions: Thanks for the great feedback on the options. I put the existing how-to together pretty much entirely on some Google searches. I'll add your feedback to the how-to / maybe remove some options that don't look viable. - IIS + mod_jk: tried but stuck in Bug 47679. Also tried ARR to pass the user name as a request header from IIS to Tomcat without success - Apache mod_ntlm: used it and we replaced it by the much more stable mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit plattform - we couldn't get stability problems solved on Apache 2.2 and 64bit Linux. No ongoing development. - Apache mod_auth_sspi: till now in internal use for a very small project (works just fine), not sure about the future. Although there seems to be some new activity on 1.0.5 beta - Waffle: found it on thursday and it is on my our todo-list for testing it next week Any chances to get Bug 47679 solved? How can we help (we are admins, no devs)? What solutions have you deployed? Recommendations? It is tricky to recommend something right now. I'm guessing you want something that a) works reliably and b) is likely to be supported for the long term. Right now Waffle probably comes closest to that. It you can wait a little while, I should have SPNEGO support in Tomcat 7 fairly soon. It may - or may not - get back-ported to Tomcat 6. It will depend on the eventual solution. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Authentication: Issue 49318 vs 47679
I should have SPNEGO support in Tomcat 7 fairly soon. This would be great! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Hi Mark, Am 28.03.2011 10:49, schrieb Mark Thomas: On 28/03/2011 08:42, Borut Hadžialić wrote: Hellos Stefan, if you can't fix your problem with configuration and decide that you want to solve the problem by programming, then this might help you http://blog.springsource.com/2009/09/28/spring-security-kerberos/ After understanding that article a developer should be able to add a SPNEGO implementation (probably not the whole protocol, just as much it is needed for your app) to your Tomcat application by adding some filters. Or you could just add Spring Security to your app. I'll add that as an option to the new How-To. I guess this is the classic kerberos/keytab approach (no NTLM-fallback) that many solutions offer. Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last comment links a new Windows Authentication How-To from Mark Thomas. Looks like we have already tried almost all proposed solutions: Thanks for the great feedback on the options. I put the existing how-to together pretty much entirely on some Google searches. I'll add your feedback to the how-to / maybe remove some options that don't look viable. - IIS + mod_jk: tried but stuck in Bug 47679. Also tried ARR to pass the user name as a request header from IIS to Tomcat without success - Apache mod_ntlm: used it and we replaced it by the much more stable mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit plattform - we couldn't get stability problems solved on Apache 2.2 and 64bit Linux. No ongoing development. - Apache mod_auth_sspi: till now in internal use for a very small project (works just fine), not sure about the future. Although there seems to be some new activity on 1.0.5 beta - Waffle: found it on thursday and it is on my our todo-list for testing it next week Any chances to get Bug 47679 solved? How can we help (we are admins, no devs)? What solutions have you deployed? Recommendations? It is tricky to recommend something right now. I'm guessing you want something that a) works reliably and b) is likely to be supported for the long term. Right now Waffle probably comes closest to that. It you can wait a little while, I should have SPNEGO support in Tomcat 7 fairly soon. It may - or may not - get back-ported to Tomcat 6. It will depend on the eventual solution. You're definitely right. We search for the holy grail of intranet authentication. a+b is a must. The idea of using IIS with ARR in reverse proxy mode passing a username was dead end: Microsoft pointed us to a nice article describing HTTP request processing order. Rewriting a request comes before the authentication modul - so nothing to append to a header or request in the first place. See http://learn.iis.net/page.aspx/501/iis-70-request-filtering-and-url-rewriting/ Leaves IIS with mod_jk if you can live with Bug 47679. Our first test with Waffle is promising. Now it needs to be integrated and in our application for further testing. Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows Authentication: Issue 49318 vs 47679
Hello everybody, as many others before we wanted to do single-sign-on for intranet web applications using integrated windows authentication (negotiate because IE sometimes tries NTLM instead of using plain kerberos - breaking all our kerberos-only experiments). We thought that IIS would be the best choice for integrated windows authentication and we could pass the user via AJP (using mod_jk) to our tomcat instances. Our setup: - Windows 2008 R2 using IIS 7.5 (64bit) - mod_jk 1.2.31 - Oracle Java 1.6 U24 - Tomcat 6.0.32 At first glance using tomcatAuthentication=false worked as expected. We got the remote user and started deploying an application. End of happiness - the application complained about a missing user-agent. That header was not passed to tomcat when authentication was enabled on IIS. Some research revealed Bug 47679 - Not all headers get passed to Tomcat server from isapi_redirect.dll (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679) Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last comment links a new Windows Authentication How-To from Mark Thomas. Looks like we have already tried almost all proposed solutions: - IIS + mod_jk: tried but stuck in Bug 47679. Also tried ARR to pass the user name as a request header from IIS to Tomcat without success - Apache mod_ntlm: used it and we replaced it by the much more stable mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit plattform - we couldn't get stability problems solved on Apache 2.2 and 64bit Linux. No ongoing development. - Apache mod_auth_sspi: till now in internal use for a very small project (works just fine), not sure about the future. Although there seems to be some new activity on 1.0.5 beta - Waffle: found it on thursday and it is on my our todo-list for testing it next week Any chances to get Bug 47679 solved? How can we help (we are admins, no devs)? What solutions have you deployed? Recommendations? Thank you, Stefan Mayr - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Issues with ntlmauth.dll on Apache Tomcat/5.5.26 (SQL server Windows Authentication)
Hi, We have a problem on our production servers . Tomcat was running fine and we decided to use the SQL server Window Authentication by adding ntlmauth.dll in system32 windows folder and updating the jtds to version jtds1.2.5.jar as instructed by the website. This has caused a memory leak in the tomcat process i.e. if observed using the Windows Task Manager the memory usage for the tomcat6.exe process would go up until restart is required due to OutOfMemory exception. Our java application runs fine and no memory leak is reported there when observed using JConsole or JProfiler. Are you aware of any problems with this procedure? Is this a known issue? I have searched the Internet for a solution and have not been able to find anything regarding this for weeks now. I would really appreciate it if you could get back to me on this, as it is causing a lot of problems to our service. Best regards, Bledar Mema
Re: Issues with ntlmauth.dll on Apache Tomcat/5.5.26 (SQL server Windows Authentication)
BLEDAR MEMA wrote: Hi, We have a problem on our production servers . Tomcat was running fine and we decided to use the SQL server Window Authentication by adding ntlmauth.dll in system32 windows folder and updating the jtds to version jtds1.2.5.jar as instructed by the website. This has caused a memory leak in the tomcat process i.e. if observed using the Windows Task Manager the memory usage for the tomcat6.exe process would go up until restart is required due to OutOfMemory exception. Our java application runs fine and no memory leak is reported there when observed using JConsole or JProfiler. Are you aware of any problems with this procedure? Is this a known issue? I have searched the Internet for a solution and have not been able to find anything regarding this for weeks now. I would really appreciate it if you could get back to me on this, as it is causing a lot of problems to our service. This is the same issue as the thread entitled Memory Leak in Tomcat. Perhaps you want to browse it. The answer is the same : you should ask the jTDS (jDTS ?) people about it. It does not seem to have anything to do with Tomcat per se. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question regarding IIS Windows Authentication using Tomcat Connector
I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system.
RE: Question regarding IIS Windows Authentication using Tomcat Connector
I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding IIS Windows Authentication using Tomcat Connector
I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional
RE: Question regarding IIS Windows Authentication using Tomcat Connector
FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original
RE: Question regarding IIS Windows Authentication using Tomcat Connector
Thanks for the reply. 2 more questions if you don't mind: 1. Just wanted to confirm that Waffle does support NTLMv2? We do not use Kerberos on our network. 2. Are the web.xml settings required? Again, we have our own custom security package and it is defined in the web.xml file. As stated previously, I do not have time to rewrite the security code in order to accommodate a product that requires that we use their setting in web.xml. Just an FYI, in JCIFS, we are able to acquire the domain and user from the Type3Message class. JCIFS uses the challenge-response paradigm. Thanks for the work that you're doing. More and more java web teams will need something like this as their companies move over to products like Windows 7 where NTLMv1 is no longer acceptable. Regards. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 9:10 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response
RE: Question regarding IIS Windows Authentication using Tomcat Connector
1. Yes. It will support whatever your Windows box supports since it calls the native Windows API. Smartcards, retinal scans, etc. 2. They are not, your code should be fine. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 10:34 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector Thanks for the reply. 2 more questions if you don't mind: 1. Just wanted to confirm that Waffle does support NTLMv2? We do not use Kerberos on our network. 2. Are the web.xml settings required? Again, we have our own custom security package and it is defined in the web.xml file. As stated previously, I do not have time to rewrite the security code in order to accommodate a product that requires that we use their setting in web.xml. Just an FYI, in JCIFS, we are able to acquire the domain and user from the Type3Message class. JCIFS uses the challenge-response paradigm. Thanks for the work that you're doing. More and more java web teams will need something like this as their companies move over to products like Windows 7 where NTLMv1 is no longer acceptable. Regards. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 9:10 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
On 20.05.2009 07:20, pappu wrote: Chuck, --- If by Tomcat 5 you really mean Tomcat 5.0, please be aware that 5.0 has not been supported for quite some time. You do need to move up. --- Yes I do mean Tomcat 5.0. The reason why we are having this version is because we have Business Objects (Analytics Tool) configured to run on tomcat and it only supports for Tomcat 5.0 and Tomcat 5.5. When we did this about 3 yrs ago i believe only 5.0 would have been supported. Could you let me know if there is an option to resolve this error without doing the upgrade? The necessary feature (bigger AJP packet sizes) has been backported to Tomcat 5.5. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pappu, On 5/20/2009 1:20 AM, pappu wrote: Yes I do mean Tomcat 5.0. The reason why we are having this version is because we have Business Objects (Analytics Tool) configured to run on tomcat and it only supports for Tomcat 5.0 and Tomcat 5.5. When we did this about 3 yrs ago i believe only 5.0 would have been supported. Tomcat 5.5 is still supported by the community. You should be able to move up to 5.5.27 (the current 5.5.x version) and still be covered for Business Objects. Could you let me know if there is an option to resolve this error without doing the upgrade? Probably not. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoVjv8ACgkQ9CaO5/Lv0PAAcQCghOtEUZRe7InvnLscAcWxnEam Y30AoKL49Gcs49HzsRhzkhE+jd11/bTr =84M5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
Hi, We are running our application on Tomcat 5 and have authorization done by IIS and have configured the IIS to tomcat communication using the iisapi_Redirect. We are facing this issue where we get the Request Entity too Large error when we try for certain ids. Since we are running on Tomcat 5 we can't do the mod_jk change. Could you please suggest how to resolve this issue? Thanks in Advance. AM baumar wrote: Hi, We are running an application on Tomcat 6. The authorization is down by IIS with Integrated Windows authentication selected. Whenever we try to access any page (with IE6), we get a request entity too large response. We switched IIS to Basic authentication, then it works. By analyzing the network traffic, we saw that IIS is adding a kerberos header with encrypted data and guess this data cannot be handled by the jconnector or tomcat. we made a test where we switched off tomcat and still got the same error, so unless we didn't get some cached reply, this means the error might be thrown by the jconnector, but we have no clear evidence. Did anybody encounter a similar case or know how to resolve this? Thanks Markus -- View this message in context: http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23613947.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 AM, On 5/19/2009 6:59 AM, pappu wrote: We are running our application on Tomcat 5 and have authorization done by IIS and have configured the IIS to tomcat communication using the iisapi_Redirect. We are facing this issue where we get the Request Entity too Large error when we try for certain ids. Since we are running on Tomcat 5 we can't do the mod_jk change. What mod_jk change? What does running Tomcat 5 (specifically) have to do with it? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoSr8sACgkQ9CaO5/Lv0PBddACeLeKML7YPoRglm8pIfbsFE9t6 5LIAn0RLmCW6ajV3ki6C/lsdpglfU8PD =HudA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
Chris, What mod_jk change? What does running Tomcat 5 (specifically) have to do with it? - The link of tomcat below gives instructions on how to increase the max_packet_size for AJP. This mentions that this is available only from Tomcat 5.5.20+ and 6.0.2+. So we having Tomcat 5 means that we cannot change this. http://tomcat.apache.org/connectors-doc/reference/workers.html I checked in the isapi logs and i see the error that the HTTP method does not allow the data transmitted, or the data volume exceeds the capacity limit I somehow need to be able to pass the URL from IIS to Tomcat. If I remove the setting for isapi_Redirect and directly use response.redirect(tomcat url) in the asp page it works fine but I need the requests to be serviced only via iis. -AM -- View this message in context: http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23628364.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
From: pappu [mailto:anaga_mahade...@infosys.com] Subject: Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat ) So we having Tomcat 5 means that we cannot change this. If by Tomcat 5 you really mean Tomcat 5.0, please be aware that 5.0 has not been supported for quite some time. You do need to move up. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
Chuck, --- If by Tomcat 5 you really mean Tomcat 5.0, please be aware that 5.0 has not been supported for quite some time. You do need to move up. --- Yes I do mean Tomcat 5.0. The reason why we are having this version is because we have Business Objects (Analytics Tool) configured to run on tomcat and it only supports for Tomcat 5.0 and Tomcat 5.5. When we did this about 3 yrs ago i believe only 5.0 would have been supported. Could you let me know if there is an option to resolve this error without doing the upgrade? -AM -- View this message in context: http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23629152.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
Hi, We are running an application on Tomcat 6. The authorization is down by IIS with Integrated Windows authentication selected. Whenever we try to access any page (with IE6), we get a request entity too large response. We switched IIS to Basic authentication, then it works. By analyzing the network traffic, we saw that IIS is adding a kerberos header with encrypted data and guess this data cannot be handled by the jconnector or tomcat. we made a test where we switched off tomcat and still got the same error, so unless we didn't get some cached reply, this means the error might be thrown by the jconnector, but we have no clear evidence. Did anybody encounter a similar case or know how to resolve this? Thanks Markus -- View this message in context: http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23099072.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
Markus, Is the header name called Authentication ? If so, we had this exact same issue a few years ago. The length of this HTTP header was too long for mod_jk to process and the request was getting dropped. I think you might be able to configure the packet size of mod_jk now to get around this problem. Our solution a few years ago was I built an ISAPI filter that removed the Authentication header before it was sent to Tomcat (since this wasn't needed). Scott On Fri, Apr 17, 2009 at 10:46 AM, baumar mbj...@active.ch wrote: Hi, We are running an application on Tomcat 6. The authorization is down by IIS with Integrated Windows authentication selected. Whenever we try to access any page (with IE6), we get a request entity too large response. We switched IIS to Basic authentication, then it works. By analyzing the network traffic, we saw that IIS is adding a kerberos header with encrypted data and guess this data cannot be handled by the jconnector or tomcat. we made a test where we switched off tomcat and still got the same error, so unless we didn't get some cached reply, this means the error might be thrown by the jconnector, but we have no clear evidence. Did anybody encounter a similar case or know how to resolve this? Thanks Markus -- View this message in context: http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23099072.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )
On 17.04.2009 16:55, Scott Bradshaw wrote: Markus, Is the header name called Authentication ? If so, we had this exact same issue a few years ago. The length of this HTTP header was too long for mod_jk to process and the request was getting dropped. I think you might be able to configure the packet size of mod_jk now to get around this problem. Our solution a few years ago was I built an ISAPI filter that removed the Authentication header before it was sent to Tomcat (since this wasn't needed). What is jconnector? Are you using the isapi redirector to connect IIS and Tomcat (the IIS relative of mod_jk)? If so, the whole request including headers is not allowed to exceed 8KB (excluding any request bodies e.g. when using the POST method). If you need to send bigger requests, you will need to use a non-standard configuration to exceed the AJP packet size limitations of the AJP13 protocol. Look for max_packet_size on the page http://tomcat.apache.org/connectors-doc/reference/workers.html Regards, Rainer On Fri, Apr 17, 2009 at 10:46 AM, baumar mbj...@active.ch wrote: Hi, We are running an application on Tomcat 6. The authorization is down by IIS with Integrated Windows authentication selected. Whenever we try to access any page (with IE6), we get a request entity too large response. We switched IIS to Basic authentication, then it works. By analyzing the network traffic, we saw that IIS is adding a kerberos header with encrypted data and guess this data cannot be handled by the jconnector or tomcat. we made a test where we switched off tomcat and still got the same error, so unless we didn't get some cached reply, this means the error might be thrown by the jconnector, but we have no clear evidence. Did anybody encounter a similar case or know how to resolve this? Thanks Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
using windows authentication through JDTS on BIRT on TOMCAT
Hi, I'm newbie with tomcat, Can somebody help me solving my problem? I really apprciate it, cause it has made me frustated Currently I'm working with BIRT, tomcat and MSSQL I use BIRT to create report as an add-on to our ERP. We tried to using windows authentication as SSO in all the report, so the roles is described in MSSQL security and the report's security just based on security from MSSQL. I'm using JTDS as JDBC Driver because it can integrate Windows Authentication When I design the report, the driver works well, so I could using MSSQL roles as security in my report, for example when I set the domain\user can access view stock, so in the report the user can access the view, when I set the user cannot access or execute the view or stored procedure in MSSQL, so the report cannot retrieve the data. In RCP design all work fine. But when I copy the report to tomcat webapps, the driver doesn't work. The error logs said that it couldn't authenticate the domain\user against the MSSQL. so the connection cannot be open Does anyone can help me for this problem? Thanks in advance Hendrik
Integrated Windows Authentication in Tomcat
Hi, I want to use Microsoft Integrated Windows Authentication based on Kerberos in Tomcat using Microsoft IE browsers. I found this: http://appliedcrypto.com/files/tomcat_spnego.pdf Do you know of any other free solutions? Are there better alternatives? Has anyone tried this before? If yes, is it working 100%? Are there problems? Mit freundlichen Grüßen / Kind regards Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED] Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter
Re: Integrated Windows Authentication in Tomcat
Date sent: Tue, 22 Jul 2008 15:52:34 +0200 From: Faris Ahmed [EMAIL PROTECTED] Subject:Integrated Windows Authentication in Tomcat To: users@tomcat.apache.org Send reply to: Tomcat Users List users@tomcat.apache.org Hi, I want to use Microsoft Integrated Windows Authentication based on Kerberos in Tomcat using Microsoft IE browsers. I found this: http://appliedcrypto.com/files/tomcat_spnego.pdf Do you know of any other free solutions? Are there better alternatives? I haven't used this but it seems to be popular, JCIFS: http://jcifs.samba.org/src/docs/ntlmhttpauth.html -Steve O. Has anyone tried this before? If yes, is it working 100%? Are there problems? Mit freundlichen Grüßen / Kind regards Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED] Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with tomcat behind IIS and modjk using integrated windows authentication
Hello, I developed a webapplication with tomcat 6.0.14 behind IIS 6 (IIS5 isolation mode) using modJK (1.2.25) and integrated wíndows authentication. I configured IIS and modJK following the descriptions in the connectors documentation. For most of the users (~70%) it works without problems. The rest always gets service unavailable from IIS. Other ASP Applications which are using integrated windows authentication work for the affected users. I looked in the log files of IIS and modJK and found nothing. I think it must have something to do with the windows profile because when we delete the windows profile of the user (c:\Documents and Settings\user) and recreate it then all works well for this user. We don't no why this happens, we can't see a difference between working profiles and not working ones e.g. the IE settings are the same. The problem is we can not kill and recreate all the profiles of the affected users. Thanks in advance, Martin Virus checked by G DATA AntiVirusKit Version: AVKA 18.165 from 02.04.2008 Virus news: www.antiviruslab.com - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with tomcat behind IIS and modjk using integrated windows authentication
Martin Grüneberg wrote: I think it must have something to do with the windows profile because when we delete the windows profile of the user (c:\Documents and Settings\user) and recreate it then all works well for this user. We don't no why this happens, we can't see a difference between working profiles and not working ones e.g. the IE settings are the same. The problem is we can not kill and recreate all the profiles of the affected users. In this scenario I would suggest using one of the following to look at the traffic so see what the difference is because there must be one: - ieHttpHeaders - TCPMon from the Apache Axis project Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Windows Authentication against multiple domains
I can't suggest any open-source/free products but allow me to suggest reading the following article if you want to roll your own solution one of these days in the windows world: http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx Once you read it, I hope you will be able to see how you can put some amount of work in from your side and leverage Kerberos as a solution across Windows domains. But may be I misunderstood your problem, may be you don't want SSO across multiple domains. Maybe you simply want a piece of code that can connect to multiple ADs instead of just one? I suggest a bit more clarification so that the list readers may understand your use-case. Cheers! On 2/9/07, Suneet Shah [EMAIL PROTECTED] wrote: Hello, We have this capability in our open source identity and access management solution where you can use more then one use more then one repository for authentication. You may be able to use just the authentication service as taking on the rest of it may be more then what you need. The project is OpenIAM on sourceforge. We will be putting a new release this weekend. If you are interested in taking a look, let me know and I can send you a link. Regards Suneet On 2/9/07, Uwe_77 [EMAIL PROTECTED] wrote: Sure, I will let you know. Perhaps we need third party tools. Doese someone knows a solution? -- View this message in context: http://www.nabble.com/RE%3A-Windows-Authentication-against-multiple-domains-tf3203321.html#a8895171 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Windows Authentication against multiple domains
Hi, I am having a tomcat webapplication and logon needs to be done via windows-authentication (ldap). I configured authentication against ldap, that works fine for one domain. The problem is, that we are having users in multiple domains. Is there a way to configure authentication against the whole active directory forest? Thanks for your help! Uwe
RE: Windows Authentication against multiple domains
if you find out, please let me know...I'm barking up that tree, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 4:50 PM To: users@tomcat.apache.org Subject: Windows Authentication against multiple domains Hi, I am having a tomcat webapplication and logon needs to be done via windows-authentication (ldap). I configured authentication against ldap, that works fine for one domain. The problem is, that we are having users in multiple domains. Is there a way to configure authentication against the whole active directory forest? Thanks for your help! Uwe - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Windows Authentication against multiple domains
Sure, I will let you know. Perhaps we need third party tools. Doese someone knows a solution? -- View this message in context: http://www.nabble.com/RE%3A-Windows-Authentication-against-multiple-domains-tf3203321.html#a8895171 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Windows Authentication against multiple domains
Hello, We have this capability in our open source identity and access management solution where you can use more then one use more then one repository for authentication. You may be able to use just the authentication service as taking on the rest of it may be more then what you need. The project is OpenIAM on sourceforge. We will be putting a new release this weekend. If you are interested in taking a look, let me know and I can send you a link. Regards Suneet On 2/9/07, Uwe_77 [EMAIL PROTECTED] wrote: Sure, I will let you know. Perhaps we need third party tools. Doese someone knows a solution? -- View this message in context: http://www.nabble.com/RE%3A-Windows-Authentication-against-multiple-domains-tf3203321.html#a8895171 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Windows Authentication against multiple domains
I am yet another barking up that tree. --- Propes, Barry L [GCG-NAOT] [EMAIL PROTECTED] wrote: if you find out, please let me know...I'm barking up that tree, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 4:50 PM To: users@tomcat.apache.org Subject: Windows Authentication against multiple domains Hi, I am having a tomcat webapplication and logon needs to be done via windows-authentication (ldap). I configured authentication against ldap, that works fine for one domain. The problem is, that we are having users in multiple domains. Is there a way to configure authentication against the whole active directory forest? Thanks for your help! Uwe - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]