RE: Tomcat windows 7 authentication

Thu, 07 May 2015 04:38:25 -0700 

I have done NTP synchronization in AD
still I am getting same error
could you please help in this

-----Original Message-----
From: David Marsh [mailto:dmars...@outlook.com]
Sent: Thursday, May 07, 2015 3:39 PM
To: Tomcat Users List
Subject: RE: Tomcat windows 7 authentication

Kerberos requires NTP synchronisation to be in place and working.
Fix your clocks and the error should go away.

> From: ravindhar_ko...@persistent.com
> To: users@tomcat.apache.org
> Subject: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 10:01:39 +0000
>
> Hi
> I am working on windows authentication with tomcat 7.
> I have gone through the following doc.
> windows-auth-howto 
> Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
>
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo)
> username (ss0ad...@domain.com<mailto:ss0ad...@domain.com>)
> password (XXXXXX)
>
> setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
> ktpass /out c:\tomcat.keytab /mapuser ssoad...@domain.com /princ 
> HTTP/windows-sso-d...@domain.com /pass XXXXX /kvno 0
>
> C:\apache-tomcat-7.0.61\conf\jass.conf
>
> com.sun.security.jgss.krb5.initiate {
>     com.sun.security.auth.module.Krb5LoginModule required
>     doNotPrompt=true
>     principal="HTTP/windows-sso-d...@domain.com"
>     useKeyTab=true
>     keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
>     storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
>     com.sun.security.auth.module.Krb5LoginModule required
>     doNotPrompt=true
>     principal="HTTP/windows-sso-d...@domain.com"
>     useKeyTab=true
>    keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
>     storeKey=true;
> };
>
> C:\apache-tomcat-7.0.61\conf\krb5.ini
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
> default_tkt_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> DOMAIN.COM = {
>         kdc = DOMAIN-ad:88
> }
>
> [domain_realm]
> dev.local= DOMAIN.COM
> .dev.local= DOMAIN.COM
>
> C:\apache-tomcat-7.0.61\conf\server.xml
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
>         <!-- This Realm uses the UserDatabase configured in the global JNDI
>              resources under the key "UserDatabase".  Any edits
>              that are performed against this UserDatabase are immediately
>              available for use by the Realm.  -->
>         <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>                resourceName="UserDatabase"/>
>
>                                                 <Realm 
> className="org.apache.catalina.realm.JNDIRealm"  debug="99"
>            connectionURL="ldap://DOMAIN-ad:389";
>            alternateURL="ldap://DOMAIN-ad:389";
>            connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
>            connectionPassword="XXXX"
>            referrals="follow"
>            userBase="CN=Users, DC=DOMAIN, DC=com"
>            userSearch="(sAMAccountName={0})"
>            userSubtree="true"
>            roleBase="CN=Users, DC=DOMAIN, DC=com"
>            roleName="CN"
>            roleSubtree="true"
>            roleSearch="(member={0})" />
>
>
>
>       </Realm>
>
>
> C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Context>
>    <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
> </Context>
>
>
>
> C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee";
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
>     version="2.4">
>
>
>
>                 <security-constraint>
>     <display-name>All users</display-name>
>     <web-resource-collection>
>       <web-resource-name>All requests</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>*</role-name>
>     </auth-constraint>
>   </security-constraint>
>
>   <security-role>
>     <description>All users</description>
>     <role-name>*</role-name>
>   </security-role>
>
>   <login-config>
>     <auth-method>SPNEGO</auth-method>
>   </login-config>
>
>
>     <display-name>Hello, World Application</display-name>
>     <description>
>                 This is a simple web application with a source code 
> organization
>                 based on the recommendations of the Application Developer's 
> Guide.
>     </description>
>
>     <servlet>
>         <servlet-name>HelloServlet</servlet-name>
>         <servlet-class>mypackage.Hello</servlet-class>
>     </servlet>
>
>     <servlet-mapping>
>         <servlet-name>HelloServlet</servlet-name>
>         <url-pattern>/hello</url-pattern>
>     </servlet-mapping>
>
>
> </web-app>
>
>
>
> My error is
>
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Clock skew too great (37)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:804)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
> va:617)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:62)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:483)
>         at 
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
>         at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
> 95)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
> 80)
>         at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>         at 
> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp
> negoAuthenticator.java:192)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
> torBase.java:577)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
> ava:170)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
> ava:103)
>         at 
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
> 950)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
> ve.java:116)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
> a:423)
>         at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
> 11Processor.java:1079)
>         at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
> AbstractProtocol.java:620)
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
> t.java:318)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
>         at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
> read.java:61)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: KrbException: Clock skew too great (37)
>         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>         at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
>         at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:776)
>         ... 26 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
>         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>         at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
>         at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
>
> Ravindhar Konka | Software Engineering
> ravindhar_ko...@persistent.co.in<mailto:ravindhar_ko...@persistent.co.in>| 
> Cell: +91-99633 74753 | Tel: +91-20-674 42058
> Persistent Systems Ltd. | Partner in Innovation | 
> www.persistent.com<http://www.persistent.com/>
>
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the 
> property of Persistent Systems Ltd. It is intended only for the use of the 
> individual or entity to which it is addressed. If you are not the intended 
> recipient, you are not authorized to read, retain, copy, print, distribute or 
> use this message. If you have received this communication in error, please 
> notify the sender and delete all copies of this message. Persistent Systems 
> Ltd. does not accept any liability for virus infected mails.
>


DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to