Kerberos (the basis for integrated Windows authentication) requires careful
configuration. If the steps in this guide are followed exactly, then a working
configuration will result. It is important that the steps below are followed
exactly. There is very little scope for flexibility in the configuration. From
the testing to date it is known that:
- The host name used to access the Tomcat server must match the host name in
the SPN exactly else authentication will fail. A checksum error may be reported
in the debug logs in this case.
- The client must be of the view that the server is part of the local trusted
intranet.
- The SPN must be HTTP/<hostname> and it must be exactly the same in all
the places it is used.
- The port number must not be included in the SPN.
- No more than one SPN may be mapped to a domain user.
- Tomcat must run as the domain account with which the SPN has been associated
or as domain admin. It is NOT recommended to run Tomcat under a
domain admin user.
- The domain name (
DEV.LOCAL) is not case sensitive when used in
the ktpass command, nor when used in jaas.conf
- The domain must be specified when using the ktpass command
There are four components to the configuration of the built-in Tomcat
support for Windows authentication. The domain controller, the server hosting
Tomcat, the web application wishing to use Windows authentication and the client
machine. The following sections describe the configuration required for each
component.
The names of the three machines used in the configuration examples below are
win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat
instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL
domain.
Note: In order to use the passwords in the steps below, the domain password
policy had to be relaxed. This is not recommended for production environments.
| Domain Controller |
These steps assume that the server has already been configured to act as a
domain controller. Configuration of a Windows server as a domain controller is
outside the scope of this how-to. The steps to configure the domain controller
to enable Tomcat to support Windows authentication are as follows:
- Create a domain user that will be mapped to the service name used by the
Tomcat server. In this how-to, this user is called
tc01 and has a
password of tc01pass.
- Map the service principal name (SPN) to the user account. SPNs take the
form
<service class>/<host>:<port>/<service name>.
The SPN used in this how-to is HTTP/win-tc01.dev.local. To
map the user to the SPN, run the following:
setspn -A HTTP/win-tc01.dev.local tc01
- Generate the keytab file that the Tomcat server will use to authenticate
itself to the domain controller. This file contains the Tomcat private key for
the service provider account and should be protected accordingly. To generate
the file, run the following command (all on a single line):
ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
/princ HTTP/win-tc01.dev.local@DEV.LOCAL
/pass tc01pass /kvno 0
- Create a domain user to be used on the client. In this how-to the domain
user is
test with a password of testpass.
The above steps have been tested on a domain controller running Windows
Server 2008 R2 64-bit Standard using the Windows Server 2003 functional level
for both the forest and the domain.
|
| Tomcat instance (Windows server) |
These steps assume that Tomcat and a Java 6 JDK/JRE have already been
installed and configured and that Tomcat is running as the tc01@DEV.LOCAL
user. The steps to configure the Tomcat instance for Windows authentication
are as follows:
- Copy the
tomcat.keytab file created on the domain controller
to $CATALINA_BASE/conf/tomcat.keytab.
- Create the kerberos configuration file
$CATALINA_BASE/conf/krb5.ini. The file used in this how-to
contained:[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
DEV.LOCAL = {
kdc = win-dc01.dev.local:88
}
[domain_realm]
dev.local= DEV.LOCAL
.dev.local= DEV.LOCAL
java.security.krb5.conf system property.
- Create the JAAS login configuration file
$CATALINA_BASE/conf/jaas.conf. The file used in this how-to
contained:com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
useKeyTab=true
keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
useKeyTab=true
keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
storeKey=true;
};
java.security.auth.login.config system property. The LoginModule
used is a JVM specific one so ensure that the LoginModule specified matches
the JVM being used. The name of the login configuration must match the
value used by the authentication
valve.
The SPNEGO authenticator will work with any
Realm but if used with the JNDI Realm, by default the JNDI Realm will use
the user's delegated credentials to connect to the Active Directory.
The above steps have been tested on a Tomcat server running Windows Server
2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.
|
| Tomcat instance (Linux server) |
This was tested with:
- Java 1.7.0, update 45, 64-bit
- Ubuntu Server 12.04.3 LTS 64-bit
- Tomcat 8.0.x (r1546570)
It should work with any Tomcat 7 release from 7.0.12 onwards although it is
recommended that the latest stable release is used.
The configuration is the same as for Windows but with the following
changes:
- The Linux server does not have to be part of the Windows domain.
- The path to the keytab file in krb5.ini and jass.conf should be updated
to reflect the path to the keytab file on the Linux server using Linux
style file paths (e.g. /usr/local/tomcat/...).
|
| Web application |
The web application needs to be configured to the use Tomcat specific
authentication method of SPNEGO (rather than BASIC etc.) in
web.xml. As with the other authenticators, behaviour can be customised by
explicitly configuring the
authentication valve and setting attributes on the Valve.
|
| Client |
The client must be configured to use Kerberos authentication. For Internet
Explorer this means making sure that the Tomcat instance is in the "Local
intranet" security domain and that it is configured (Tools > Internet
Options > Advanced) with integrated Windows authentication enabled. Note that
this will not work if you use the same machine for the client
and the Tomcat instance as Internet Explorer will use the unsupported NTLM
protocol.
|
