Thanks Bill!!!

It looks like overriding the UsersDaabaseRealm is the way to go so that
I can authenticate against the LDAP with the user cert.

I appreciate your time.

Rick


-----Original Message-----
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Sunday, November 06, 2005 10:30 PM
To: users@tomcat.apache.org
Subject: Re: Client Certificate Authentication Failure

Tomcat is getting the cert fine (otherwise you'd get a different reponse

message).  The problem is that it can't find a user to go with the 
certificate.

This means that you've got a problem with your Realm configuration. 
Unfortunately, out of the Realms that ship with Tomcat, only MemoryRealm
and 
UserDatabaseRealm support client-cert auth.  With these, you need to
specify 
the string representation of the cert's Subject as the user's name.

If you need another method of matching certs to users, then you'll
probably 
need to create your own custom Realm to do it.

"Steinberger, Richard" <[EMAIL PROTECTED]> wrote in 
message 
news:[EMAIL PROTECTED]
.


 Hello All!



I am trying to setup client certificate authentication in 5.5.12 on
windows.



I am getting the following error page....



HTTP Status 401 - Cannot authenticate with the provided credentials

________________________________________

type Status report

message Cannot authenticate with the provided credentials

description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).

________________________________________

Apache Tomcat/5.5.12





With the following dumped to the log.....



INFO:           isSecure=true

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:           authType=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:      contentLength=-1

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:        contentType=text/html;charset=utf-8

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Pragma=No-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Cache-Control=no-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Expires=Wed, 31 Dec 1969 19:00:00 EST

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:            message=Cannot authenticate with the provided
credentials

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:         remoteUser=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             status=401



The log entry...

"authType=null"

confuses me.





The log entry...

"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"

...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,

based on a (default?) date in the past.

I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.





Here is the connector...



    <Connector port="8443" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="100" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS"

               keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit"

                   truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />





By switching the <login-config> to FORM I can login just fine over
https.

Also, turning off clientAuth, works fine.



My feeling is that the certifcicates are OK, but that I am missing a
config setting.



I am doing this testing on my local machine, with a fresh, default
install.



Any input would be appreciated.



Rick











---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to