Re: SPNEGO test configuration with Manager webapp

Tue, 24 Mar 2015 04:56:17 -0700 

David Marsh wrote:

Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {    com.sun.security.auth.module.Krb5LoginModule required    
doNotPrompt=true    principal="HTTP/tc01.kerbtest.local@KERBTEST.LOCAL"    useKeyTab=true 
   keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytab"    
storeKey=true;};
krb5.ini
[libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = 
FILE:C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\tc01.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true
[realms]KERBTEST.LOCAL = {        kdc = Server2012dc.kerbtest.local:88}
[domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL
I want to use the tomcat manager app to test SPNEGO with Active Directory, 
Tomcat is currently installed on the domain controller.


And that may well be the problem.


It seems like authentication is never completed as in the browser 


(which is where ? also on the same host ? what browser are you using ?)

(if it is IE : does it have "enable Windows Integrated Authentication" checked ? and is 
the tomcat server recognised as being part of the "Intranet zone" ?)


Also let us know what kind of platforms are involved at
- the browser level
- the tomcat level
- the KDC level (yes, I know, currenty the same as tomcat; but maybe not in 
future)



Recently I was having some problems also with Kerberos authentication, and while digging 
the web for information, I remember reading somewhere that it would not work if the 
browser was on the same host as the server (I do not remember if this counted also for the 
Tomcat webserver, and I do not remember if this was platform-specific).  But maybe your 
problem is a variation of the same issue ?



So basically, what I am telling you is to search in Google more specifically for things 
such as "Kerberos and localhost" or similar..



Also, get an appropriate browser plugin to be able to really trace what kind of HTTP 
headers are passed back and forth between the browser and the Tomcat server.


I get prompted for credentials over and over.


That is where the browser plugin (Fiddler, HttpFox, LiveHttpHeaders, etc..) is invaluable. 
It will tell you if the browser is even /trying/ to perform Kerberos authentication e.g.



So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is 
not currently sent

I have created the tc01 and test users in active directory, and the keytab as 
instructed.
I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local "startup.bat"
Output from running tomcat :-
Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[Statusinterface]' against GET /html --> false24-Mar-2015 
10:26:56.496 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[JMX Proxy interface]' against GET /html --> false24-Mar-2015 
10:26:56.510 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> 
false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> 
true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking cons

traint 'SecurityConstraint[Statusinterface]' against GET /html --> false24-Mar-2015 10:26:56.560 FINE 
[http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[JMX Proxy interface]' against GET /html --> false24-Mar-2015 10:26:56.575 FINE 
[http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false24-Mar-2015 10:26:56.587 FINE 
[http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 
'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true24-Mar-2015 10:26:56.599 FINE 
[http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data constraint has no 
restrictions>>> KeyTabInputStream, readName(): kerbtest.local>>> KeyTabInputStream, readName(): 
HTTP>>> KeyTabInputStream, readName(): tc01.k
erbtest.local>>> KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config 
name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7>>> 
KdcAccessibility: resetLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for 
default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=30000, number of retries =3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt 
=1, #bytes=160>>> KrbKdcReq send: #bytes read=185>>>Pre-Authentication Data:         PA-DATA type = 11         PA-ETYPE-INFO 
etype = 23, salt =

Pre-Authentication Data:         PA-DATA type = 19         PA-ETYPE-INFO2 etype 
= 23, salt = null, s2kparams = null
Pre-Authentication Data:         PA-DATA type = 2         
PA-ENC-TIMESTAMP>>>Pre-Authentication Data:         PA-DATA type = 16
Pre-Authentication Data:         PA-DATA type = 15
KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() encoding tag is 126 req 
type is 11>>>KRBError:         sTime is Tue Mar 24 10:26:57 GMT 2015 1427192817000         suSec 
is 627351         error code is 25         error Message is Additional pre-authentication required         
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL         eData provided.         msgType is 
30>>>Pre-Authentication Data:         PA-DATA type = 11         PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:         PA-DATA type = 19         PA-ETYPE-INFO2 etype 
= 23, salt = null, s2kparams = null
Pre-Authentication Data:         PA-DATA type = 2         
PA-ENC-TIMESTAMP>>>Pre-Authentication Data:         PA-DATA type = 16
Pre-Authentication Data:         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded 
key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> 
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=243>>> 
KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=243>>> 
KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>> KrbKdcReq send: 
#bytes read=1467>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88

Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply 
HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache Software 
Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Tue Mar 24 20:26:57 GMT 
2015

I create a realm in server.xml :-
      <Realm className="org.apache.catalina.realm.JNDIRealm"          connectionURL="ldap://192.168.78.8:389";          
userBase="ou=Users,dc=kerbtest,dc=local"          userSearch="(mail={0})"          userRoleName="memberOf"          
roleBase="ou=Users,dc=kerbtest,dc=local"          roleName="cn"          roleSearch="(uniqueMember={0})"/>
web.xml for manager web app has auth method set :-
  <!-- Define the Login Configuration for this Application -->  <login-config>    <!-- 
<auth-method>BASIC</auth-method> -->    <auth-method>SPNEGO</auth-method>    <realm-name>Tomcat Manager 
Application</realm-name>  </login-config>
Any ideas what is happening and what I can do to troubleshoot ?
many thanks
David

 		 	   		   		 	   		  




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to