RE: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
All systems are domain-joined to a mature IT Lab and the issue is with the Tomcat server configuration as it should load the krb5.ini and or jaas.conf and activity should be observable on the Web server - whether or not any error is generated. It is not clear to me what the design load process / order of the call stack should be in the SPNEGO Authentication design. This would help focus on where the issue is. I ran Process Monitor during a Network Client PC TCP session to the Tomcat Web Server as well as during start of the Tomcat Web service. During either of these I don’t observe any calls to jaas.conf, or krb5.ini. What should initiate loading of these and at what point should they load? Observation Notes: Process Monitor for Tomcat7.exe when browsing to http://server/SPNEGOAuthTest.jsp shows in summary TCP Accept: Server - PC TCP Receive: Server - PC CreateFile: .\Tomcat7.0\webapps\ROOT\SPNEGOAuthTest.jsp QueryNetworkOpenInformationFile: CloseFile: CreateFile:... CreateFile: .\ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class CloseFole . \ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class ... TCP Send: Server - PC In the SPNEGOAuthTest.jsp HTML response: request.getRemoteUser() response shows value of “Nul” request.getRemoteAddr() does show the IP address of the PC Process Monitor during Tomcat Service start - Calls are shown to .\conf\server.xml mbeans-descriptors.xml .\conf\tomcat-users.xml .\conf\context.xml .\conf\web.xml Again no calls to jaas.conf, or krb5.ini Date: Thu, 28 Feb 2013 06:42:35 -0800 From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit On 28/02/2013 02:18, Chris Fors wrote: Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. As expected from what you have described. If there are no security constraints on a resource, Tomcat isn't going to require authentication. Anyone had success with this ? Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 1 client) where this feature works. Any ideas on what is missing?Is there a good way to debug the process? See above. I'd expect to see some changes to the webapp. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. Anyone had success with this ? Any ideas on what is missing?Is there a good way to debug the process? Thanks
Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
Chris Fors wrote: Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. Anyone had success with this ? Any ideas on what is missing?Is there a good way to debug the process? What is the OS platform ? To debug the process : other than what you already did above, a network trace with Wireshark or similar ? (should be SMB exchanges I suppose) Another couple of questions : - is the client workstation that accesses the Tomcat server, itself in the Domain to which you are trying to authenticate ? - from the point of view of that workstation and its browser, is that Tomcat server considered as inside the Domain, or at least trusted ? (because if not, then the browser will not even /try/ to use WIA authentication) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
On 28/02/2013 02:18, Chris Fors wrote: Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved in $catalina.base\conf folder - Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator - Created krb5.ini and saved in $catalina.base\conf folder - Created jaas.conf and saved in $catalina.base\conf folder After this still no observed effect on logon authentications – all still apparently anonymous. As expected from what you have described. If there are no security constraints on a resource, Tomcat isn't going to require authentication. Anyone had success with this ? Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 1 client) where this feature works. Any ideas on what is missing?Is there a good way to debug the process? See above. I'd expect to see some changes to the webapp. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org