Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true
principal="HTTP/tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tc01.keytab" storeKey=true;};
krb5.ini
[libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name =
FILE:C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\tc01.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true
[realms]KERBTEST.LOCAL = { kdc = Server2012dc.kerbtest.local:88}
[domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL
I want to use the tomcat manager app to test SPNEGO with Active Directory,
Tomcat is currently installed on the domain controller.
It seems like authentication is never completed as in the browser I get
prompted for credentials over and over.So there appear two issues :-1.
Authentication is not succeeding2. SPNEGO accept header is not currently sent
I have created the tc01 and test users in active directory, and the keytab as
instructed.
I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local "startup.bat"
Output from running tomcat :-
Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Statusinterface]' against GET /html -->
false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -->
false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
GET /html --> true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Statusinterface]' against GET /html -->
false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -->
false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
GET /html --> true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint has no restrictions>>> KeyTabInputStream, readName():
kerbtest.local>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream,
readName(): tc01.kerbtest.local>>> KeyTab: load() entry length: 74; type:
23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config
name: C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7>>>
KdcAccessibility: resetLooking for keys for:
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes
for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq
send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries
=3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88,
timeout=30000,Attempt =1, #bytes=160>>> KrbKdcReq send: #bytes
read=185>>>Pre-Authentication Data: PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init()
>>> encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Mar 24
>>> 10:26:57 GMT 2015 1427192817000 suSec is 627351 error code
>>> is 25 error Message is Additional pre-authentication required
>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided.
>>> msgType is 30>>>Pre-Authentication Data: PA-DATA type = 11
>>> PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for
default_tkt_enctypes: 23 18 17.Looking for keys for:
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys
for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default
etypes for default_tkt_enctypes: 23 18 17.>>> EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating
message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88,
timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication:
kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=243>>>
KrbKdcReq send: #bytes read=100>>> KrbKdcReq send:
kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000, number of retries =3,
#bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88,
timeout=30000,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>>
KrbKdcReq send: #bytes read=1467>>> KdcAccessibility: remove
Server2012dc.kerbtest.local:88Looking for keys for:
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in
KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred
(<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for
Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program
Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for
HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache
Software Foundation\Tomcat 8.0\conf\tc01.keytab for
HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for
HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Tue Mar 24 20:26:57 GMT 2015
I create a realm in server.xml :-
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://192.168.78.8:389"
userBase="ou=Users,dc=kerbtest,dc=local" userSearch="(mail={0})"
userRoleName="memberOf" roleBase="ou=Users,dc=kerbtest,dc=local"
roleName="cn" roleSearch="(uniqueMember={0})"/>
web.xml for manager web app has auth method set :-
<!-- Define the Login Configuration for this Application --> <login-config>
<!-- <auth-method>BASIC</auth-method> -->
<auth-method>SPNEGO</auth-method> <realm-name>Tomcat Manager
Application</realm-name> </login-config>
Any ideas what is happening and what I can do to troubleshoot ?
many thanks
David