Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
> Hi.
>
> I'm trying to get a baseline configuration working, following the
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm
> apparently off in the weeds having missed something, though. So I'd really
> appreciate a sanity check of my configuration, and the testcase I'm
> attempting. I've got something messed up, and I'm looking for guidance on
> what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012
> x86_64 x86_64 x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows
> Authentication" is set to true.
>
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness,
> here's what I've got.
>
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> -mapuser tomc...@openidmdev.com<mailto:tomc...@openidmdev.com> -crypto
> AES256-SHA1 -pass "mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out
> tomcat7.keytab
I hope the mailto: links are not part of your principals.
>
> /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = OPENIDMDEV.COM
> default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> forwardable = true
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
> [realms]
> OPENIDMDEV.COM = {
> kdc = openiddc.openidmdev.com:88
> admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
>
> The krb5.conf generally works. Using my domain username and password:
>
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>
> Password for esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>:
> Authenticated to Kerberos v5
>
> The keytab contains one key:
>
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 0
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> (aes256-cts-hmac-sha1-96)
>
> The krb5 config is generally happy with the contents of the keytab:
>
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> Using default cache: /tmp/krb5cc_0
> Using principal:
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
>
> So I'm confident the MSA and the keytab are OK.
>
> The Tomcat7 configurations are localized, based on the descriptions in the
> windows-auth-howto.html.
> For the Java options, the init script uses:
>
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
> -Djava.security.krb5.conf=/etc/krb5.conf \
> -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
> -Djavax.security.auth.useSubjectCredsOnly=false \
> -Xms1536m \
> -Xmx1536m \
> -XX:NewSize=256m \
> -XX:MaxNewSize=256m \
> -XX:PermSize=256m \
> -XX:MaxPermSize=256m \
> -XX:+DisableExplicitGC"
Better would be CATALINA_OPTS instead of JAVA_OPTS, since those values
are only needed for startup.
>
> /usr/share/tomcat7c/conf/jaas.conf is:
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
>
> principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
>
> principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
>
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
>
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
That valve is not needed for SPNego. You can leave it commented.
>
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
> to:
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
>
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
>
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>"
> password="" roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
>
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
>
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
> true ticketCache is null isInitiator true KeyTab is
> /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal
> is
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> tryFirstPass is false useFirstPass is false storePass is false clearPass is
> false
>
> Key for the principal
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> not available in /usr/share/tomcat7c/confx/tomcat7.keytab
> [Krb5LoginModule] authentication failed
>
> Unable to obtain password from user
>
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator
> authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
> Source)
> at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.access$000(Unknown Source)
> at javax.security.auth.login.LoginContext$4.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
> at javax.security.auth.login.LoginContext.login(Unknown Source)
> at
> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> I trust that the configuration at least is reading the jaas.conf, since the
> first line of logging refects its settings. However, I'm not convinced
> Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab;
> I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+
> "-junk" of course).
>
> Well-founded guidance, clues, and even good guesses are all welcome.
I would look, if IE is sending an authorization header.
Greetings
Felix
>
> Edward
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
