All systems are domain-joined to a mature IT Lab and the issue is with the Tomcat server configuration as it should load the krb5.ini and or jaas.conf and activity should be observable on the Web server - whether or not any error is generated. It is not clear to me what the design load process / order of the call stack should be in the SPNEGO Authentication design. This would help focus on where the issue is. I ran Process Monitor during a Network Client PC TCP session to the Tomcat Web Server as well as during start of the Tomcat Web service.
During either of these I don’t observe any calls to jaas.conf, or krb5.ini. What should initiate loading of these and at what point should they load? Observation Notes: Process Monitor for Tomcat7.exe when browsing to http://server/SPNEGOAuthTest.jsp shows in summary TCP Accept: Server -> PC TCP Receive: Server -> PC CreateFile: .\Tomcat7.0\webapps\ROOT\SPNEGOAuthTest.jsp QueryNetworkOpenInformationFile: CloseFile: CreateFile:... CreateFile: .\ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class CloseFole . \ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class ... TCP Send: Server -> PC In the SPNEGOAuthTest.jsp HTML response: request.getRemoteUser() response shows value of “Nul” request.getRemoteAddr() does show the IP address of the PC Process Monitor during Tomcat Service start - Calls are shown to .\conf\server.xml mbeans-descriptors.xml .\conf\tomcat-users.xml .\conf\context.xml .\conf\web.xml Again no calls to jaas.conf, or krb5.ini > Date: Thu, 28 Feb 2013 06:42:35 -0800 > From: ma...@apache.org > To: users@tomcat.apache.org > Subject: Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit > > On 28/02/2013 02:18, Chris Fors wrote: > > Trying to get Windows > > Authentication operational using the Tomcat Built-in method. Implemented > > the following but not > > observed any Windows / Kerberos authentication occuring: > > > > - > > Domain joined > > windows member server > > > > - > > Domain service > > account > > > > - > > Delegated SPN for > > HTTP protocol on the member server to the service account > > > > - > > Generated keytab > > file for the service account and saved in $catalina.base\conf folder > > > > - > > Created Valve in context.xml of className > > org.apache.catalina.authenticator.SpnegoAuthenticator > > > > - > > Created krb5.ini and > > saved in $catalina.base\conf folder > > > > - > > Created jaas.conf and > > saved in $catalina.base\conf folder > > > > > > > > After this still no observed > > effect on logon authentications – all still apparently anonymous. > > As expected from what you have described. > > If there are no security constraints on a resource, Tomcat isn't going > to require authentication. > > > > Anyone had success with this ? > > Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and > 1 client) where this feature works. > > > Any ideas on what is missing?Is there a good way to > > debug the process? > > See above. I'd expect to see some changes to the webapp. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
