No Single Sign on for Redhat Tomcat

Help
Peter
2014-03-03
2014-03-04
  • Peter

    Peter - 2014-03-03

    Hi,
    I am running Tomcat under redhat, on solaris. I have kerberos working with the sample java code (see below) however I cannot get Internet explorer (IE9) to pass on the kerberos ticket. It appears as though IE does not see the linux machine as a trusted box and so falls back to NTLM. I have the linux box configured as a trusted intranet site in IE. Here is the output from a java client that proves kerberos is functioning. Is there anything else that is required to get IE to perform SSO ?

    CODE

    public static void main(final String[] args) throws Exception {
            final String username = "pddoyle"; // ex. dfelix
            final String password = "XXXXXX"; // ex. myp@s5
            final String url = "http://melladcal12.global.thebank.com:51810/hello_spnego.jsp"; // ex. http://medusa:8080/hello_jsp.jsp
            final String module = "spnego-client"; // ex. spnego-client
            System.setProperty("java.security.krb5.conf", "E:\\javasoft\\ldapTest\\krb5.conf");
            System.setProperty("sun.security.krb5.debug", "true");
            System.setProperty("java.security.auth.login.config", "E:\\javasoft\\ldapTest\\login.conf");
            SpnegoHttpURLConnection spnego = null;
            try {
                spnego = new SpnegoHttpURLConnection(module, username, password);
                spnego.connect(new URL(url));
    
                System.out.println("\nHTTP_STATUS_CODE=" + spnego.getResponseCode());
    
                BufferedReader in = new BufferedReader(new InputStreamReader(spnego.getInputStream()));
                String inputLine;
                while ((inputLine = in.readLine()) != null)
                    System.out.println(inputLine);
                in.close();         
            } finally {
                if (null != spnego) {
                    spnego.disconnect();
                }
            }
        }
    

    OUTPUT

    default etypes for default_tkt_enctypes: 17 23 16 3 1.
    default etypes for default_tkt_enctypes: 17 23 16 3 1.
    >>> KrbAsReq calling createMessage
    >>> KrbAsReq in createMessage
    >>> KrbKdcReq send: kdc=sydwisadc01.global.THEBANK.com TCP:88, timeout=30000, number of retries =3, #bytes=170
    >>>DEBUG: TCPClient reading 252 bytes
    >>> KrbKdcReq send: #bytes read=252
    >>> KrbKdcReq send: #bytes read=252
    >>> KdcAccessibility: remove sydwisadc01.global.THEBANK.com
    >>> KDCRep: init() encoding tag is 126 req type is 11
    >>>KRBError:
         sTime is Mon Mar 03 11:14:08 EST 2014 1393805648000
         suSec is 857576
         error code is 25
         error Message is Additional pre-authentication required
         realm is GLOBAL.THEBANK.COM
         sname is krbtgt/GLOBAL.THEBANK.COM
         eData provided.
         msgType is 30
    >>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
         PA-ETYPE-INFO salt = 
         salt for 3 is GLOBAL.THEBANK.COMpddoyle
         salt for 1 is GLOBAL.THEBANK.COMpddoyle
    >>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
         PA-DATA type = 15
    AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
    default etypes for default_tkt_enctypes: 17 23 16 3 1.
    Updated salt from pre-auth = GLOBAL.THEBANK.COMpddoyle
    >>>KrbAsReq salt is GLOBAL.THEBANK.COMpddoyle
    default etypes for default_tkt_enctypes: 17 23 16 3 1.
    Pre-Authenticaton: find key for etype = 1
    AS-REQ: Add PA_ENC_TIMESTAMP now
    >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>crc32: 6300cfca
    >>>crc32: 1100011000000001100111111001010
    >>> KrbAsReq calling createMessage
    >>> KrbAsReq in createMessage
    >>> KrbKdcReq send: kdc=sydwisadc01.global.THEBANK.com TCP:88, timeout=30000, number of retries =3, #bytes=244
    >>>DEBUG: TCPClient reading 1781 bytes
    >>> KrbKdcReq send: #bytes read=1781
    >>> KrbKdcReq send: #bytes read=1781
    >>> KdcAccessibility: remove sydwisadc01.global.THEBANK.com
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    >>> KrbAsRep cons in KrbAsReq.getReply pddoyle
    default etypes for default_tkt_enctypes: 17 23 16 3 1.
    Found ticket for pddoyle@GLOBAL.THEBANK.COM to go to krbtgt/GLOBAL.THEBANK.COM@GLOBAL.THEBANK.COM expiring on Mon Mar 03 21:14:08 EST 2014
    Entered Krb5Context.initSecContext with state=STATE_NEW
    Service ticket not found in the subject
    >>> Credentials acquireServiceCreds: same realm
    default etypes for default_tgs_enctypes: 17 23 16 3 1.
    >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    >>> KrbKdcReq send: kdc=sydwisadc01.global.THEBANK.com TCP:88, timeout=30000, number of retries =3, #bytes=1802
    >>>DEBUG: TCPClient reading 1891 bytes
    >>> KrbKdcReq send: #bytes read=1891
    >>> KrbKdcReq send: #bytes read=1891
    >>> KdcAccessibility: remove sydwisadc01.global.THEBANK.com
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Subject is readOnly;Kerberos Service ticket not stored
    >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
    >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    Krb5Context setting mySeqNumber to: 325351383
    Created InitSecContextToken:
    0000: 01 00 6E 82 07 04 30 82   07 00 A0 03 02 01 05 A1  ..n...0.........
    0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 06  ......... ......
    0020: 20 61 82 06 1C 30 82 06   18 A0 03 02 01 05 A1 18   a...0..........
    0030: 1B 16 47 4C 4F 42 41 4C   2E 54 48 45 4E 41 54 49  ..GLOBAL.THEBANK
    0040: 4F 4E 41 4C 2E 43 4F 4D   A2 35 30 33 A0 03 02 01  .COM.503....
    0050: 00 A1 2C 30 2A 1B 04 48   54 54 50 1B 22 6D 65 6C  ..,0*..HTTP."mel
    0060: 6C 61 64 63 61 6C 31 32   2E 67 6C 6F 62 61 6C 2E  ladcal12.global.
    0070: 74 68 65 6E 61 74 69 6F   6E 61 6C 2E 63 6F 6D A3  THEBANK.com.
    0080: 82 05 BE 30 82 05 BA A0   03 02 01 03 A1 03 02 01  ...0............
    0090: 03 A2 82 05 AC 04 82 05   A8 7C 5F 4C 2B B3 A2 20  .........._L+.. 
    00A0: B1 58 67 0E 73 97 E0 D5   5F 46 80 95 DD 78 E0 79  .Xg.s..._F...x.y
    ...
    REMOVED FOR BREVITY
    ...
    06E0: 17 93 E7 C8 65 C8 B3 CF   CB B9 5A B6 82 9F 8D 70  ....e.....Z....p
    06F0: 31 C5 3E D1 23 70 82 05   96 CF F5 1B 2B BC 64 BE  1.>.#p......+.d.
    0700: 41 1D B6 DD 14 04 F9 DF   AA E0                    A.........
    
    Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
    >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    Krb5Context setting peerSeqNumber to: 462228458
    
    HTTP_STATUS_CODE=200
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
        <title>Hello SPNEGO Example</title>
    </head>
    <body>
    Hello pddoyle !
    </body>
    </html>
    

    krb5.conf

    [libdefaults]
            default_realm = GLOBAL.THEBANK.COM
            default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
            default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
            permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
            udp_preference_limit = 1
    [realms]
              GLOBAL.THEBANK.COM = {
                    kdc = nycwisadc03.global.THEBANK.com
                    default_domain = global.THEBANK.com
    }
    
    [domain_realm]
                    .global.THEBANK.com = GLOBAL.THEBANK.COM
                    global.THEBANK.com = GLOBAL.THEBANK.COM
    
    [appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
    
     
  • Peter

    Peter - 2014-03-04

    An update to the post. I have captured the kerb5 packets and are getting the following error from the KDC
    error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)

     
  • Peter

    Peter - 2014-03-04

    Problem solved :) Looks as though windows 7 disables DES encryption by default so your service account must have AES 128 or AES 256 enabled by default. Would recommend anyone having problems getting kerberos working get wireshark up and running and look closely at the KRB5 packets, particularly the supported encryption types in the TGS-REQ from the client.

     

Log in to post a comment.