stackoom
  简体   繁体   中英

SPNEGO in tomcat always prompting password

 原文  2021-06-10 06:37:10       java/ tomcat/ active-directory/ kerberos/ spnego

Question

My SPNEGO configuration seems to not work and always prompts for a password in my tomcat8.

Installation/Configuration SPNEGO install guide

I added the library spnego-r9.jar to the "tomcat\lib"-folder. Added the.conf files as well. Here the krb5.conf:

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 1
default_realm=EXAMPLE.COM
default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts- 
hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts- 
hmac-sha1-96 rc4-hmac
permitted_enctypes =  aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts- 
hmac-sha1-96 rc4-hmac

[realms]
EXAMPLE.COM = {
    default_domain=example.com
    kdc=dc2.example.com:88
}

[domain_realm]
.example.com=EXAMPLE.COM
example.com=EXAMPLE.COM

The SpnegoHttpFilter was then added to the web.xml. Last but not least I contacted our admins and added the following to the user registered in the SpnegoHttpFilter

setspn.exe -A HTTP/ourserver01.example.com/projectXY exampleUser
setspn.exe -A HTTP/ourserver01/projectXY exampleUser

The result is a password prompt even though my accessing user is logged in to the EXAMPLE.COM domain. To my knowledge this should not happen. I logged on to our server and found, that its domain is a workgoup (using wmic computersystem get domain in cmd) could that be an issue and how would I go and resolve this?

EDIT: Here the second.conf file:

spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    isInitiator=false;
};

1 answers

solution1
 1 ACCPTED  2021-06-10 09:13:25

I checked the packages via wireshark and found the unkown pricipalname error. Thanks for the hint @Samson Scharfrichter

The correct spn registration is setspn.exe -A HTTP/ourserver01.example.com exampleUser without the project itself.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Tomcat 6 with SPNEGO SSO still prompts for login and password SPNEGO authentication issue with password Access denied (error 403) to Tomcat 8 Manager on CentOS 7 without prompting for login/password Configuring Tomcat SSO using Kerberos SPNEGO Spnego keytab authentication in Tomcat on Windows Server fails Tomcat Windows Authentication: JNDIRealm doesn't use SPNEGO delegated credentials Command line is prompting for password, cannot send password using java eclipse Tomcat 9 invalid keystore password Retrieve password Tomcat authentication Artifactory Tomcat password
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM