Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Help getting authentication=

843811Oct 31 2005 — edited Jun 12 2006
Greetings,

I could use some help with getting tomcat 5.5.12 to use Kerberos against Microsoft Active Directory.

I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword below), it uses 'simple'
authentication (clear text passwords).

My original server.xml works just fine but now I'm trying to take it to next level and I found documentation (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
specifies that there are the following values:

- EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec).
- DIGEST-MD5 (RFC 2831) is for Digest Authentication.
- GSSAPI (RFC 2222) is for Kerberos V5 authentication.

I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following : 
<Realm className="org.apache.catalina.realm.JNDIRealm" 
	debug="4"
	authentication="GSSAPI"
	connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
	connectionPassword="myPassword"
	connectionURL="ldap://10.16.0.xx:389"
	alternateURL="ldap://10.16.0.xx:389"
	userBase="OU= myou,DC=company,DC=com"
	userSearch="(sAMAccountName={0})"
	userSubtree="true"
	userRoleName="memberOf"
/>
And now I get a different type of error from Catalina.out:
Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:133)
.....
At least the GSSAPI is being recognized! My next step was talking with IT; they suggested a 
c:\winnt\krb5.ini
with the following contents:
[libdefaults]
default_realm = COMPANY.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc

[realms]
COMPANY.COM = {
kdc = addy.mycompany.com:88
admin_server = addy. mycompany.com:88
kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM }
And that I then execute: 
$ kinit DKlotz
Password for DKlotz@EMPIRIX.COM:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotz
But as you can see from the previous tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it?

At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup.

Any help is greatly appreciated!!

-Dennis Klotz
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jul 10 2006
Added on Oct 31 2005
#other-security-apis-tools-and-issues
2 comments
189 views