Configuring Tomcat for Windows Integrated AuthenticationBefore Getting Started Be sure that you have read and successfully performed ALL of the steps in the pre-flight documentation before proceeding any further. Finally, confirm that the server is on the domain by going to
We want to be sure that the host/server is on the domain. If during install of Windows Server you did not specify to join a Domain, you can click the "Change..." button now to join the Domain. Downloading and Installing Tomcat Go to the Apache Tomcat web site and download the "Windows Service Installer" version from the binary distribution section of the download page. Logon to your server as Administrator and perform the installation. By default, Tomcat will be installed under: Notice that the Tomcat Home directory contains the directories
Testing the Tomcat Install Before we install and configure the SPNEGO HTTP Servlet Filter, we will first
confirm that Tomcat is running and performing as expected. By default, the Tomcat
service runs on port 8080. From your workstation, open IE and go to
the Downloading spnego.jar If your environment is the following:
please use spnego-r9.jar However, if your environment is the following:
please use spnego-jakarta-2.0.jar You can download either of these jars from sourceforge. Place the spnego.jar file in Tomcat's lib directory: Modifying the web.xml file Open the Find the Here's an example configuration:
Creating a krb5.conf and login.conf file The pre-flight documentation illustrated how to create the krb5.conf and login.conf files for your environment. It also introduced you to the HelloKDC java program that makes use of these files. Copy the krb5.conf and login.conf files that you created earlier to the Tomcat Home directory (note that the JRE must be able to find these files). If you are running Tomcat from the command line, you may want to put these two files in the bin directory. Registering an SPN The best way to register an SPN is to have someone from your Admin/OPS department do it for you. Your OPS team will use the setspn.exe utility found in the Support Tools directory to register all of your SPNs. They will login as Administrator on any machine that has the Support Tools installed and run the command(s). Your OPS team will need two things from you before running the setspn.exe utility: The pre-authentication username should be the same one you used in pre-flight when you ran the HelloKDC.java program. The list of SPNs should comprise of ALL possible aliases for your service. For example, we have a server named \\MEDUSA that has an HTTP server running on port 8080; hence, we have registered these two SPNs:
Also, we have two DNS entries that point http://intranet.kerbtek.com and http://intranet to the \\MEDUSA server; hence, we have additionally registered these two SPNs:
To register the above SPNs, someone from your OPS department would run the following commands:
Here are the results after running the setspn.exe utility and listing the results: Notice that we only needed to register service principal names for Zeus. The commands above are the ONLY commands that need to be performed. We do not want to pass-in as the 3rd argument anything or any name other than the pre-authentication account name. Again, when running the setspn.exe utility with the -A flag, the ONLY value we want for the 3rd/last argument is the pre-authentication account name. Furthermore, we ONLY want to register principal names with the HTTP/ prefix. We do not want to register principal names with a prefix other than HTTP/. Finally, be careful that you do NOT register an SPN to more than one username. A username can have more than one SPN registered but an SPN can only have one username. For example, the following two commands are illegal:
The SPN Creating the hello_spnego.jsp file Create the following hello_spnego.jsp file under the
<html> <head> <title>Hello SPNEGO Example</title> </head> <body> Hello <%= request.getRemoteUser() %> ! </body> </html> Restart the server and login into a workstation before performing the test in the next section. Testing hello_spnego.jsp At this point there should at least be three hosts on your domain (athena.local): Login into your host named \\hercules and use the ping command to confirm that all three machines are on the athena.local domain. Example results from ping-ing \\medusa: Open a browser and go to http://medusa:8080/hello_spnego.jsp If all is working correctly you should see the following (without being prompted): Lastly, the javax.servlet.http.HttpServletRequest API is an interface that defines the method named getRemoteUser. In addition, the API defines the method named isUserInRole. The SPNEGO Library also implements the isUserInRole method. In this guide, the SPNEGO Library was configured to perform authentication (authN). However, the SPNEGO Library defines additional APIs as well as provide a reference implementation that allow for a more expressive authorization (authZ) scheme. If in addition to authenticating the user, you also need to check the user's authorization credentials, take a look at the enable authZ with LDAP guide. The javadocs for the SpnegoAccessControl interface, the UserAccessControl interface, and the LdapAccessControl class contain authorization usage examples.Troubleshooting hello_spnego.jsp The best way to troubleshoot hello_spnego.jsp is to run TCPMon. Take a look at the Troubleshooting hello_spnego.jsp page for more details on using this tool.
Links:
Troubleshooting:
Examples:
Licensing:
© 2009 Darwin V. Felix. All rights reserved.
|