Mark Thomas wrote:
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and
also added the same definitions to the Java parameters in Configure Tomcat
tool.I definitely got more information when using startup.bat, not sure the
settings get picked up by the windows service ?
I do not think authentication completes, certainly authorization does not as I
cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a manager-gui
group in Active Directory.
I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well krb5.ini
will handle those. It might be fine. It might not be.
Mark
Considering your Kerberos logs, you may want to have a look at this :
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
(gotten to by Googling for "kerberos preauthentication", as this term seemed to appear in
the logs).
To me, your logs (assuming that they are the Tomcat Kerberos logs) would seem to indicate
that it is Tomcat who is trying to pre-authenticate to the KDC, and failing to do so (for
whatever reason I don't really know).
I am not really a specialist of Kerberos, but from what I understand of it, the first
action of a Kerberos client - when it logs in, which in this case could be construed as
"when Tomcat starts up" - is to contact a Kerberos "ticket granting server" (usually the
same as the KDC), and obtain a "ticket-granting ticket" from it.
Then later, when the client wants to access a service, it re-contacts the KDC, passes it
this "ticket-granting ticket", and requests another ticket to access the desired service.
Then it sends this "service ticket" to the host hosting the desired service, for
authentication.
For whatever reason, it looks as if Tomcat is at least trying to get such an initial
"ticket-granting ticket" for itself at start, and failing.
Maybe such a ticket is a necessary pre-condition for Tomcat's Kerberos stack, to be able
to authenticate "tomcat service tickets" presented to it later by a browser client ?
In terms of debugging what happens, I think that for the time being you should forget the
browser clients for a moment, and concentrate on Tomcat and this Kerberos log of his, and
find out why these seemingly error-messages appear in the log at start.
I would assume that, if everything went as expected, one would see at least some message
indicating success, which is not in evidence here for now.
Maybe the SPNs don't match, between the KDC and the Tomcat server ?
"ktlist" may be a good tool on both, to list what's there and compare.
David
Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:25 schrieb David Marsh:
Everything is as described and still not working, except the jaas.conf is :-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?
Felix
----------------------------------------
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +0000
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain
kerbtest.local, they are logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active Directory.
I have tried to keep the setup as basic and vanilla to the instructions as
possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
I have tried to test with firefox, chrome and IE, after ensuring
http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added
http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the tc01@kerbtest.local account.
Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in
firefox results in 401 three times.
Looking at the Network tab in developer tools in firefox shows 401 response
with WWW-Authenticate: Negotiate response http header.
The next has an Authorization request http header with long encrypted string.
That means, that tomcat is believing, it can use kerberos/SPNEGO and
firefox is able to get a service ticket, for the server and sends it
back. That far it is looking promising. But I assume the authentication
does not complete, right?
IE still prompts for credentials with a popup, not sure why as does chrome.
The setting User Authentication, Logon, Automatic Logon only in Intranet Zone,
is selected under trusted sites.
It seems like authentication is never completed ?
There are no errors in tomcat logs.
Any ideas what is happening and what I can do to troubleshoot ?
You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
print out a lot of debug information, which should end up in catalina.out.
Felix
||
I'm quite happy to help improve the documentation and follow the instructions,
however I have tried that and cannot get a working basic set up.
many thanks
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
