Hi I am working on windows authentication with tomcat 7. I have gone through the following doc. windows-auth-howto Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
apache-tomcat-7.0.61 windows server 2008 R2 java 1.8.0_25 active directory machine ( DOMAIN-ad) tomcat instance machine (windows-sso-demo) username (ss0ad...@domain.com<mailto:ss0ad...@domain.com>) password (XXXXXX) setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin ktpass /out c:\tomcat.keytab /mapuser ssoad...@domain.com /princ HTTP/windows-sso-d...@domain.com /pass XXXXX /kvno 0 C:\apache-tomcat-7.0.61\conf\jass.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/windows-sso-d...@domain.com" useKeyTab=true keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab" storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/windows-sso-d...@domain.com" useKeyTab=true keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab" storeKey=true; }; C:\apache-tomcat-7.0.61\conf\krb5.ini [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] DOMAIN.COM = { kdc = DOMAIN-ad:88 } [domain_realm] dev.local= DOMAIN.COM .dev.local= DOMAIN.COM C:\apache-tomcat-7.0.61\conf\server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://DOMAIN-ad:389" alternateURL="ldap://DOMAIN-ad:389" connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com" connectionPassword="XXXX" referrals="follow" userBase="CN=Users, DC=DOMAIN, DC=com" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="CN=Users, DC=DOMAIN, DC=com" roleName="CN" roleSubtree="true" roleSearch="(member={0})" /> </Realm> C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl <?xml version="1.0" encoding="UTF-8"?> <Context> <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" /> </Context> C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <security-constraint> <display-name>All users</display-name> <web-resource-collection> <web-resource-name>All requests</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-role> <description>All users</description> <role-name>*</role-name> </security-role> <login-config> <auth-method>SPNEGO</auth-method> </login-config> <display-name>Hello, World Application</display-name> <description> This is a simple web application with a source code organization based on the recommendations of the Application Developer's Guide. </description> <servlet> <servlet-name>HelloServlet</servlet-name> <servlet-class>mypackage.Hello</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/hello</url-pattern> </servlet-mapping> </web-app> My error is SEVERE: Unable to login as the service principal javax.security.auth.login.LoginException: Clock skew too great (37) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr b5LoginModule.java:804) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja va:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1 95) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6 80) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp negoAuthenticator.java:192) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica torBase.java:577) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:423) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp 11Processor.java:1079) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( AbstractProtocol.java:620) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin t.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor .java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh read.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: KrbException: Clock skew too great (37) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr b5LoginModule.java:776) ... 26 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at sun.security.krb5.internal.ASRep.init(ASRep.java:64) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) Ravindhar Konka | Software Engineering ravindhar_ko...@persistent.co.in<mailto:ravindhar_ko...@persistent.co.in>| Cell: +91-99633 74753 | Tel: +91-20-674 42058 Persistent Systems Ltd. | Partner in Innovation | www.persistent.com<http://www.persistent.com/> DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.