Thanks Bill!!! It looks like overriding the UsersDaabaseRealm is the way to go so that I can authenticate against the LDAP with the user cert.
I appreciate your time. Rick -----Original Message----- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: Sunday, November 06, 2005 10:30 PM To: users@tomcat.apache.org Subject: Re: Client Certificate Authentication Failure Tomcat is getting the cert fine (otherwise you'd get a different reponse message). The problem is that it can't find a user to go with the certificate. This means that you've got a problem with your Realm configuration. Unfortunately, out of the Realms that ship with Tomcat, only MemoryRealm and UserDatabaseRealm support client-cert auth. With these, you need to specify the string representation of the cert's Subject as the user's name. If you need another method of matching certs to users, then you'll probably need to create your own custom Realm to do it. "Steinberger, Richard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] . Hello All! I am trying to setup client certificate authentication in 5.5.12 on windows. I am getting the following error page.... HTTP Status 401 - Cannot authenticate with the provided credentials ________________________________________ type Status report message Cannot authenticate with the provided credentials description This request requires HTTP authentication (Cannot authenticate with the provided credentials). ________________________________________ Apache Tomcat/5.5.12 With the following dumped to the log..... INFO: isSecure=true Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: --------------------------------------------------------------- Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: --------------------------------------------------------------- Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: authType=null Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: contentLength=-1 Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: contentType=text/html;charset=utf-8 Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Pragma=No-cache Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Cache-Control=no-cache Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Expires=Wed, 31 Dec 1969 19:00:00 EST Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: message=Cannot authenticate with the provided credentials Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: remoteUser=null Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve invoke INFO: status=401 The log entry... "authType=null" confuses me. The log entry... "header=Expires=Wed, 31 Dec 1969 19:00:00 EST" ...makes it look like the server is not getting the user cert, so is failing to authenticate because of an apparently expired certificate, based on a (default?) date in the past. I have tried this with two certificates, with two different signers, all with valid dates, and still get the same result. Here is the connector... <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="C:\\CACerts\\prod\\.keystore" keystoreType="JKS" keystorePass="changeit" truststoreFile="C:\\CACerts\\prod\\.truststore" truststoreType="JKS" truststorePass="changeit" /> By switching the <login-config> to FORM I can login just fine over https. Also, turning off clientAuth, works fine. My feeling is that the certifcicates are OK, but that I am missing a config setting. I am doing this testing on my local machine, with a fresh, default install. Any input would be appreciated. Rick --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
