Any help with this would be very much appreciated. We are trying to proof of
concept this to return the remote user's domain login name to use it in a Web
application. Attempting to use a keytab method to hopefully negate any
requirement for exposing the kerberos principal delegate in any server
configuration files.
We have a test configuration for SpnegoAuthenticator authentication using Apache
Tomcat/7.0.47 in sandbox environment. From a remote client workstation we are
seeing an HTTP 500 error when testing and looking for some insight as to what is
wrong or missing in our test environment.
Environment:
Apache Tomcat/7.0.47
Java JDK/JRE 1.7.0_45
Test Workstation: Windows 7 x64 (domain joined)
Test Server: Windows Server 2008 R2
When testing see Log dump --->
Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator
authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Unable to obtain password from user
at
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:214)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
SPN is delegated to the domain account with UPN: svctomca...@mydom.int
(Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv)
* Domain Controller DC1 is Server 2008 R2
* Windows server hosting Tomcat is Server 2008 R2
* PC is Windows 7 and configured to automatically login in Intranet zone
identified by *.mydom.int
Keytab generated using the ktpass.exe utility with command:
ktpass /crypto AES256-SHA1 /princ svctomca...@mydom.int /pass * /kvno 0 /ptype
KRB5_NT_SRV_INST /out "C:\temp\tc.keytab"
Tomcat Java options set are:
-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 7.0
-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 7.0
-Djava.endorsed.dirs=C:\Program Files\Apache Software Foundation\Tomcat
7.0\endorsed -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat
7.0\temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\Program Files\Apache Software
Foundation\Tomcat 7.0\conf\logging.properties
-Djava.security.krb5.conf=C:\Program Files\Apache Software Foundation\Tomcat
7.0\conf\krb5.ini
-Djava.security.auth.login.config=C:\Program Files\Apache Software
Foundation\Tomcat 7.0\conf\jaas.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true
Context.xml has the Spnego Valve declared ---
<Valve
className="org.apache.catalina.authenticator.SpnegoAuthenticator"
loginConfigName="com.sun.security.auth.module.Krb5LoginModule.accept"
storeDelegatedCredential="true" />
Web.xml has security constraints, roles, and SPNEGO authentication methods ---
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP Files</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
The role that is required to access the pages
</description>
<role-name>role1</role-name>
</security-role>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
Krb5.ini –-
[libdefaults]
default_realm = MYDOM.INT
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac
permitted_enctypes = aes256-cts aes128-cts rc4-hmac
default_keytab_name = "C:\temp\tomcat.keytab"
forwardable = true
[realms]
MYDOM.INT = {
kdc = dc1.mydom.int
default_domain = mydom.int
}
[domain_realm]
.mydom.int = MYDOM.INT
mydom.int = MYDOM.INT
jaas.conf is as ---
com.sun.security.auth.module.Krb5LoginModule.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="svctomca...@mydom.int"
useKeyTab=true
keyTab="c:/temp/tomcat.keytab"
storeKey=true;
};
com.sun.security.auth.module.Krb5LoginModule.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="svctomca...@mydom.int"
useKeyTab=true
keyTab="c:/temp/tomcat.keytab"
storeKey=true;
};
--------------------------------------------------------------------------------------
