Hi.
Much better..
I don't know if I will be able to help you, considering my little knowledge of Kerberos,
but I'm sure that someone else now will be.
Post by Thomas DelaneySPNEGO
http://spnego.sourceforge.net/
I also used this documentation in order to get my workstation to accept
Kerberos authentication and not default to NTLM.
https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM
*I created/configured the following based on what was outlined from the
SPNEGO doc:*
login.conf
krb.conf
HelloKDC.java successfully connected when testing
The SPNEGO filter in Apache Tomcat's web.xml
Took the source code for spnego.jar and placed it in Apache Tomcat's library
hello_spnego.jsp successfully displayed the correct remote user on the web
page
hello_delegate.jsp successfully displayed the correct delegated credentials
on the webpage.
Ok, so we can assume
- that the basic Kerberos infrastructure works
- that you know how to set it up
- and that it works when you do the Kerberos authentication in Tomcat itself, and access
tomcat directly from the browser.
Post by Thomas DelaneyOnce I was able to verify that the above steps worked on Apache Tomcat. I
tested the same web pages on Apache HTTPD.
You mean "when accessing Tomcat /through/ the Apache httpd front-end, right ?
From your original description, I thought that you wanted to do the Kerberos
authentication in the front-end Apache httpd, and pass on the authenticated user-id to the
back-end Tomcats then. That's still an option anyway.
But from the description below it looks like you want to keep the SPNEGO/Kerberos
authentication at the Tomcat level, and just want the front-end httpd to be "transparent"
with respect to the Kerberos authentication exchanges.
Do I get this right ?
I ran into issues when testing
Post by Thomas Delaneyhello_spnego.jsp and hello_delegate.jsp.
hello_spnego.jsp -> "hello root !" (root being a unix user and not the
AD/Windows user signed onto the domain).
hello_delegate.jsp -> "No delegated creds."
*Here is the section of the SPNEGO doc source on how to setup
hello_delegation.jsp and create hello_spnego.jsp:*
http://spnego.sourceforge.net/credential_delegation.html
Mmm. This is quite complicated, but I think that I'm starting to guess what the problem is.
I think that "delegation" is not really what you want to do here. It might work in the
absolute (if everything was set up correctly to do it), but I believe that it is overkill
in your case; and I believe that you are missing one piece of the puzzle anyway.
Taking into account my total lack of experience with SPNEGO/Kerberos delegation - and thus
taking this with a grain of salt - I believe (from the above documentation page) that for
such a delegation to work with an Apache httpd front-end, your browser would /first/ need
to be authenticated already by the front-end (for example, "as you"), and that this
front-end /itself/ would need to have /its own (separate) account/ in your infrastructure
- and an account with special properties - in order to be allowed to authenticate "as you"
(otherwise said : "impersonate you") with the Tomcat back-end's SPNEGO/Kerberos Valve.
Post by Thomas Delaney*Here is how I have Apache HTTPD forwarding requests to Tomcat. *
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
<Proxy balancer://application>
BalancerMember "http://localhost:8081/application" route=node1
BalancerMember "http://localhost:8082/application" route=node2
BalancerMember "http://localhost:8083/application" route=node3
ProxySet lbmethod=byrequests stickysession=ROUTEID
</Proxy>
ProxyPass /application balancer://application/
ProxyPassReverse /application balancer://application/
What you are setting up here is a standard Apache httpd "reverse proxy
+ load-balancer". But, as far as I can see from the above, this proxy does not (itself)
authenticate the browsers which talk to it.
So this front-end proxy does not really have a (browser-originating) user-id for which it
would be able to request a "delegated authentication".
And it is also not set up to do "delegated authentication" with the back-end Tomcat's
SPNEGO/Krberos Valve.
This may be a bit confusing, and maybe this article explains it better than I could :
https://blogs.informatica.com/2018/05/07/the-kerberos-conundrum-a-proxys-plight/#fbid=UtL4Ic19fwv
(Obviously, this is talking about some other front-end proxy software, but you can see
that one needs something additional on the front-end proxy, to do this kind of thing).
All in all, if all that you need is that the application installed under Tomcat would be
able to obtain an authenticated "current user-id", I would suggest that instead of trying
to configure this using impersonation/delegation, you try something simpler to set up :
- remove the SPNEGO/Kerberos authentication part in Tomcat
- add an SPNEGO/Kerberos authentication at the Apache httpd front-end level, so that the
front-end authenticates the user, *before* proxying the requests to the back-end Tomcat
- then configure the front-end to pass along this by now authenticated user-id, in the
requests that it passes to Tomcat
- and configure Tomcat to pick up this user-id from the request, and take it as the
Tomcat-level user-id for the request
For the first part, you could use this as a guide :
http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html
or this :
http://modauthkerb.sourceforge.net/configure.html
For the second part, the easiest way is to use the AJP-protocol proxying between Apache
httpd and Tomcat, as indicated in a previous message to the list.
Post by Thomas DelaneyPost by Thomas DelaneyPost by Thomas DelaneyHello All,
I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3
server
Post by Thomas Delaneyto get Kerberos SSO working with a web client application. I have also in
addition configured Apache HTTPD 2.4.29 on the same machine.When I reach
that website I am failing to get SSO working. The web server is not
passing
Post by Thomas Delaneyoff the delegation credentials to Apache Tomcat server. I have the web
server load balance proxying it's request to multiple Apache Tomcat
instances. I have tried applying mody_proxy_http environment variables,
but
Post by Thomas Delaneythe site continues to fail SSO. Is there a guide or configuration that
HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off
delegation credentials to Apache Tomcat?
If you would like someone here to be able to help you, you would need to be much more
precise than that. You write "I have done this" and "I have done that", but without
giving any clue as to /how/ you did this or that.
You are not even saying /where/ you have configured the Kerberos SSO. Under the Apache
httpd front-end ? or under Tomcat ?
https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_httpd
(and, in your mind, substitute "Windows authentication" by "Kerberos authentication")
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org