Jochen Auinger
Reputation: 51
Tomcat 8 SPNEGO single sign on not working
I´m new to SPNEGO and I have tried many tutorials and spent many hours looking for a solution. So finally I ask my question here: What is going wrong during authentication and how can I solve it?
Here are my configurations & logs (Tomcat is running on Windows 10 for development). I have tested with IE11, Chrome and Firefox (all in current Version).
EDIT: Updated Apache to 8.0.50 and changed the new log
EDIT2: I managed proceed a step. Configuration and logs below are updated. Especially the Kerberos log is interesting, because the line "Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS" indicates that so far everything is OK. But short after that there is again a logout.
Systemdaten:
Using CATALINA_BASE: "D:\Projekte\DEV_Verwaltung\apache-tomcat"
Using CATALINA_HOME: "D:\Projekte\DEV_Verwaltung\apache-tomcat"
Using CATALINA_TMPDIR: "D:\Projekte\DEV_Verwaltung\apache-tomcat\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_162"
Using CLASSPATH: "D:\Projekte\DEV_Verwaltung\apache-tomcat\bin\bootstrap.jar;D:\Projekte\DEV_Verwaltung\apache-tomcat\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.0.50
Server built: Feb 7 2018 20:06:05 UTC
Server number: 8.0.50.0
OS Name: Windows 10
OS Version: 10.0
Architecture: amd64
JVM Version: 1.8.0_162-b12
JVM Vendor: Oracle Corporation
1) krb5.ini
[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name = FILE:D:\Projekte\DEV_Verwaltung\apache-tomcat\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,AES-256-CTS-HMAC-SHA1-96,AES-128-CTS-HMAC-SHA1-96
default_tgs_enctypes = rc4-hmac,AES-256-CTS-HMAC-SHA1-96,AES-128-CTS-HMAC-SHA1-96
permitted_enctypes = rc4-hmac,AES-256-CTS-HMAC-SHA1-96,AES-128-CTS-HMAC-SHA1-96
forwardable=true
[realms]
DEV.LOCAL = {
kdc = dev-dc01.dev.local:88
}
[domain_realm]
dev.local= DEV.LOCAL
.dev.local= DEV.LOCAL
2) jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="D:/Projekte/DEV_Verwaltung/apache-tomcat/conf/tomcat.keytab"
storeKey=true
debug=true
moduleBanner=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useKeyTab=true
storeKey=true
debug=true
moduleBanner=true
principal="HTTP/[email protected]"
keyTab="D:/Projekte/DEV_Verwaltung/apache-tomcat/conf/tomcat.keytab"
;
};
3) Relevant part of server.xml
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="9"
connectionURL="ldap://dev-dc01.dev.local:389"
userBase="OU=Benutzer,OU=DEV,DC=dev,DC=local"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=MA-Portal,OU=TomcatSSO,DC=dev,DC=local"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"
roleNested="true"
authentication="none"
useDelegatedCredential="true"
spnegoDelegationQop="auth"
stripRealmForGss="false"
/>
<Host name="localhost" appBase="webapps">
<Context docBase="/MA-Portal" path="">
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
storeDelegatedCredential="true" />
</Context>
</Host>
</Engine>
4) Part of web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>DEV Portal</web-resource-name>
<url-pattern>/index.xob</url-pattern>
<url-pattern>/index.html</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
5) setspn:
C:\>setspn -l tc01
Registered ServicePrincipalNames for CN=Tomcat DEV160,OU=Aktiv,OU=Benutzer,OU=DEV,DC=dev,DC=local:
http/[email protected]
6) Creation of the keytab file:
ktpass -out tomcat.keytab -mapuser [email protected] -princ HTTP/[email protected] -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto All -pass mySecurePassword
7) Log file (with Kerberos debug switched on):
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is D:/Projekte/DEV_Verwaltung/apache-tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dev-dc01.dev.local TCP:88, timeout=30000, number of retries =3, #bytes=145
>>> KDCCommunication: kdc=dev-dc01.dev.local TCP:88, timeout=30000,Attempt =1, #bytes=145
>>>DEBUG: TCPClient reading 184 bytes
>>> KrbKdcReq send: #bytes read=184
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = DEV.LOCALHTTPdev160.dev.local, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove dev-dc01.dev.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Mar 22 11:45:39 CET 2018 1521715539000
suSec is 637032
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/[email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = DEV.LOCALHTTPdev160.dev.local, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dev-dc01.dev.local TCP:88, timeout=30000, number of retries =3, #bytes=232
>>> KDCCommunication: kdc=dev-dc01.dev.local TCP:88, timeout=30000,Attempt =1, #bytes=232
>>>DEBUG: TCPClient reading 1501 bytes
>>> KrbKdcReq send: #bytes read=1501
>>> KdcAccessibility: remove dev-dc01.dev.local:88
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/dev160.dev.local
principal is HTTP/[email protected]
Will use keytab
Commit Succeeded
Found KeyTab D:\Projekte\DEV_Verwaltung\apache-tomcat\conf\tomcat.keytab for HTTP/[email protected]
Found KeyTab D:\Projekte\DEV_Verwaltung\apache-tomcat\conf\tomcat.keytab for HTTP/[email protected]
Found ticket for HTTP/[email protected] to go to krbtgt/[email protected] expiring on Thu Mar 22 21:45:39 CET 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
default etypes for permitted_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1521715539/009934/6F0C350291AF99F8B1C96420B2CA9A91/[email protected] to [email protected]|HTTP/[email protected]
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have [email protected] sname=krbtgt/[email protected] authtime=null starttime=20180322104539Z endtime=20180322204539ZrenewTill=20180329104539Z
Krb5Context setting peerSeqNumber to: 1164363412
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 97594329
Found ticket for HTTP/[email protected] to go to krbtgt/[email protected] expiring on Thu Mar 22 21:45:39 CET 2018
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/[email protected] to go to krbtgt/[email protected] expiring on Thu Mar 22 21:45:39 CET 2018
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=dev-dc01.dev.local TCP:88, timeout=30000, number of retries =3, #bytes=1433
>>> KDCCommunication: kdc=dev-dc01.dev.local TCP:88, timeout=30000,Attempt =1, #bytes=1433
>>>DEBUG: TCPClient reading 1432 bytes
>>> KrbKdcReq send: #bytes read=1432
>>> KdcAccessibility: remove dev-dc01.dev.local:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 374044442
Created InitSecContextToken:
0000: 01 00 6E 82 05 4F 30 82 05 4B A0 03 02 01 05 A1 ..n..O0..K......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ......
0020: 54 61 82 04 50 30 82 04 4C A0 03 02 01 05 A1 0B Ta..P0..L.......
:
0540: 86 C5 5C 0A 24 74 6D E4 A2 1A 01 E7 8B 7C B7 2A ..\.$tm........*
0550: 9B 00 96 39 C8 ...9.
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting peerSeqNumber to: 1856492318
Krb5Context.unwrap: token=[05 04 05 ff 00 0c 00 0c 00 00 00 00 6e a7 d3 1e fb 6f 0b 44 ed 16 da 31 19 c5 ca c0 07 a0 00 00 ]
Krb5Context.unwrap: data=[07 a0 00 00 ]
Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[05 04 04 ff 00 0c 00 00 00 00 00 00 16 4b 77 1a 01 01 00 00 66 ac 65 95 f2 e1 61 4f 00 2b 8e 51 ]
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
As far as I can tell everything looks like it should work, but in a browser a login dialog appears. When I enter my credentials, I receive error 403 Access to the specified resource has been denied.
So the authentication fails. But why? Thanks for your help in advance.
Best regards
Jochen
Upvotes: 2
Views: 4982
Answers (1)
Jochen Auinger
Reputation: 51
It´s working!
What I have forgotten is the "security-role" tag matching the AD group. After adding the tag with the correct group (CN=MyUsers,OU=...., DC=dev,DC=local) everything started to work.
<security-constraint>
<web-resource-collection>
<web-resource-name>DEV DEV-Portal</web-resource-name>
<!--<url-pattern>/index.xob</url-pattern>
<url-pattern>/index.html</url-pattern>
<url-pattern>/test.xob</url-pattern>-->
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>CN=DEV-Portal-Users,OU=DEV-Portal,OU=TomcatSSO,DC=dev,DC=local</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>DEV-Portal-Users</description>
<role-name>CN=DEV-Portal-Users,OU=DEV-Portal,OU=TomcatSSO,DC=dev,DC=local</role-name>
</security-role>
Thank´s to all trying to help me.
Jochen
Upvotes: 2
Related Questions
- SPNEGO in tomcat always prompting password
- Custom SpnegoAuthenticator worked with Tomcat 8 but gives 404 with Tomcat 9
- Configuring Tomcat SSO using Kerberos SPNEGO
- SPNEGO with Tomcat error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
- Auto-login using SPNEGO Web SSO
- Tomcat Kerberos Spnego authorization not working
- SPNEGO Kerberos Single Sign On does not work in AD domain for tomcat server
- Single sign-on not working in Spring web app
- Kerberos/Spnego authentication issue after password change
- BadCredentialsException: Kerberos validation not succesfull