Tomcat Kerberos Spnego authorization not working

3.7k views Asked by At

I try to configure WebSSO for a Tomcat 7.0.69 with the build-in SPNEGO authenticator over Kerberos. When I access the application, a HTTP BasicAuth Dialog pops up and a debug entry is written in the catalina.out (see below).

My keytab file sso.keytab contains a principal who is registered on my AD-Server (via ktpass.exe & setspn.exe).

I switched on debug-mode for Kerberos, but I cannot find the problem. It simply stops at some point with Entering logout. Do you have any idea, in which step the authentication stops and what could be the reason for that? Any help is appreciated!

catalina.out

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/[email protected]
Added key: 23version: 0
Looking for keys for: HTTP/[email protected]
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=171
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=171
>>> KrbKdcReq send: #bytes read=189
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

>>> KdcAccessibility: remove server001.my.domain
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Thu Dec 15 15:35:42 CET 2016 1481812542000
     suSec is 830454
     error code is 25
     error Message is Additional pre-authentication required
     sname is krbtgt/[email protected]
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/[email protected]
Added key: 23version: 0
Looking for keys for: HTTP/[email protected]
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=254
>>> KrbKdcReq send: #bytes read=104
>>> KrbKdcReq send: kdc=server001.my.domain TCP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain TCP:88, timeout=30000,Attempt =1, #bytes=254
>>>DEBUG: TCPClient reading 1666 bytes
>>> KrbKdcReq send: #bytes read=1666
>>> KdcAccessibility: remove server001.my.domain
Looking for keys for: HTTP/[email protected]
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/my.host.com
principal is HTTP/[email protected]
Will use keytab
    [LoginContext]: login success
Commit Succeeded 

    [LoginContext]: commit success
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/[email protected]
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/[email protected]
Found ticket for HTTP/[email protected] to go to krbtgt/[email protected] expiring on Fri Dec 16 01:35:42 CET 2016
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 13 79 30 82 13 75 a0 30 30 2e 06 09 2a 86 48 86 f7 12 01 02 02 
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/[email protected]
Added key: 23version: 0
        [Krb5LoginModule]: Entering logout
        [Krb5LoginModule]: logged out Subject
    [LoginContext]: logout success

the recieved token is a lot longer, I shortened it

krb5.ini

[libdefaults]
    default_realm = MY.DOMAIN
    default_keytab_name = FILE:/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    permitted_enctypes   = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

[realms]
    MY.DOMAIN  = {
        kdc = server001.my.domain
        admin_server = server001.my.domain
        default_domain = MY.DOMAIN
}

[domain_realm]
    .my.domain = MY.DOMAIN
    my.domain = MY.DOMAIN

jaas.conf

spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab"
    principal="HTTP/[email protected]"
    debug=true;
};

web.xml

<login-config>
  <auth-method>SPNEGO</auth-method>
</login-config>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>SSO Login</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
</security-constraint>

Architecture

  • AD Server Windows Server 2016
  • Application-Server Unix-Redhat6 with Oracle JVM and Tomcat 7.0.69
  • Client Windows 10 with Internet Explorer 11
1

There are 1 answers

1
han On BEST ANSWER

Thanks to T-Heron, I was able to find the solution. The keytab file was generated with the wrong encryption-type. For Windows7/10 and in my environment it had to be explicitly set to AES256-SHA1

The correct ktpass call:

ktpass -out D:\TEMP\sso.keytab -mapuser MYUSER -princ HTTP/[email protected] -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto AES256-SHA1 -pass ****

Thank you very much for the support!!!