Any help with this would be very much appreciated. We are trying to proof of concept this to return the remote user's domain login name to use it in a Web application. Attempting to use a keytab method to hopefully negate any requirement for exposing the kerberos principal delegate in any server configuration files.
We have a test configuration for SpnegoAuthenticator authentication using Apache Tomcat/7.0.47 in sandbox environment. From a remote client workstation we are seeing an HTTP 500 error when testing and looking for some insight as to what is wrong or missing in our test environment. Environment: Apache Tomcat/7.0.47 Java JDK/JRE 1.7.0_45 Test Workstation: Windows 7 x64 (domain joined) Test Server: Windows Server 2008 R2 When testing see Log dump ---> Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate SEVERE: Unable to login as the service principal javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:214) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) SPN is delegated to the domain account with UPN: svctomca...@mydom.int (Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv) * Domain Controller DC1 is Server 2008 R2 * Windows server hosting Tomcat is Server 2008 R2 * PC is Windows 7 and configured to automatically login in Intranet zone identified by *.mydom.int Keytab generated using the ktpass.exe utility with command: ktpass /crypto AES256-SHA1 /princ svctomca...@mydom.int /pass * /kvno 0 /ptype KRB5_NT_SRV_INST /out "C:\temp\tc.keytab" Tomcat Java options set are: -Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 7.0 -Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 7.0 -Djava.endorsed.dirs=C:\Program Files\Apache Software Foundation\Tomcat 7.0\endorsed -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 7.0\temp -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\logging.properties -Djava.security.krb5.conf=C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\krb5.ini -Djava.security.auth.login.config=C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true Context.xml has the Spnego Valve declared --- <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" loginConfigName="com.sun.security.auth.module.Krb5LoginModule.accept" storeDelegatedCredential="true" /> Web.xml has security constraints, roles, and SPNEGO authentication methods --- <security-constraint> <web-resource-collection> <web-resource-name>All JSP Files</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>role1</role-name> </auth-constraint> </security-constraint> <security-role> <description> The role that is required to access the pages </description> <role-name>role1</role-name> </security-role> <login-config> <auth-method>SPNEGO</auth-method> </login-config> Krb5.ini –- [libdefaults] default_realm = MYDOM.INT default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac permitted_enctypes = aes256-cts aes128-cts rc4-hmac default_keytab_name = "C:\temp\tomcat.keytab" forwardable = true [realms] MYDOM.INT = { kdc = dc1.mydom.int default_domain = mydom.int } [domain_realm] .mydom.int = MYDOM.INT mydom.int = MYDOM.INT jaas.conf is as --- com.sun.security.auth.module.Krb5LoginModule.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="svctomca...@mydom.int" useKeyTab=true keyTab="c:/temp/tomcat.keytab" storeKey=true; }; com.sun.security.auth.module.Krb5LoginModule.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="svctomca...@mydom.int" useKeyTab=true keyTab="c:/temp/tomcat.keytab" storeKey=true; }; --------------------------------------------------------------------------------------