{"id":1584,"date":"2017-07-10T11:02:21","date_gmt":"2017-07-10T16:02:21","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1584"},"modified":"2021-04-19T23:33:38","modified_gmt":"2021-04-20T04:33:38","slug":"kerberos-authentication-on-tomcat","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1584","title":{"rendered":"Kerberos Authentication on Tomcat"},"content":{"rendered":"

I finally got around to testing out TomCat 8 and setting up Kerberos authentication for a “single sign-on” experience (i.e. it re-uses the domain logon Kerberos token to authenticate users). This was all done in a docker image, so the config files can be stashed and re-used by anyone with Docker.<\/p>\n

First you need an account – on the account properties page, the DES encryption needs to be unchecked and the two AES ones need to be checked. The account then needs to have a service principal name mapped to it. That name will be based on the URL used to access the site. In my case, my site is http:\/\/lisa.example.com:8080 (SPNs don’t mind http\/https or port numbers) so my SPN is HTTP\/lisa.example.com … to set the SPN, run<\/p>\n

setspn -A HTTP\/lisa.example.com sAMAccountNameOfMyNewlyCreatedAccount\r\n<\/pre>\n
Then generate the keytab:<\/p>\n
ktpass \/out .\\lisa.example.com.keytab \/mapuser sAMAccountNameOfMyNewlyCreatedAccount@EXAMPLE.COM \/princ HTTP\/lisa.rushworth.us@EXAMPLE.COM \/pass P@ssw0rdG03sH3r3\r\n<\/pre>\n
** Note about keytabs – there is a KVNO (key version number) associated with a keytab file. When security-related attributes on the account are changed, the KVNO is incremented. Aaaand you need a new keytab. This means you need to be able to get a new keytab if you plan on changing the account password, but it also means that tweaking account settings\u00a0can<\/em> render your keytab useless. Get the account all sorted (check off password never expires if that’s what you want, check off user cannot change password, etc) and\u00a0then<\/em> generate the keytab.<\/p>\n
While you’re working on getting the SPN and keytab stuff sorted, get docker installed and running on your box. I use Docker CE<\/a> (free) on my Windows laptop, and I’ve had to disable the firewall to allow access from external clients. I would\u00a0expect<\/em> a rule (esp one allowing anything to make an inbound connection to 8080\/tcp!) would sort it, but I’ve always had the port show as filtered until the firewall is turned off. YMMV.<\/p>\n
I create a folder for files mapped into docker containers (i.e. c:\\docker) and sub-folders for each specific container. All of the files from\u00a0TomcatKerberosConfigFiles<\/a>\u00a0are unzipped into that folder. The\u00a0test website is named lisa.rushworth.us and is either set up in DNS or added to c:\\windows\\system32\\drivers\\etc\\hosts on the client(s) that will access the site. And, of course, there’s a client machine somewhere logged onto the domain. You are going to need to tweak my config files for your domain.<\/p>\n
In jaas.conf — I have debug on. Good for testing and playing around, bad for production use. Also you’ll need\u00a0your<\/em> SPN and keytab file name<\/p>\n
principal=\"HTTP\/lisa.example.com@EXAMPLE.COM\"\r\nkeyTab=\"\/usr\/local\/tomcat\/conf\/lisa.example.com.keytab\"\r\n<\/pre>\n
In krb5.conf — the encryption is about the only thing you can keep. Use your hostnames and domain name (REALM). If you have multiple domain controllers, you can have more than one “kdc = ” line in the realms.<\/p>\n
[libdefaults]\r\ndefault_realm = EXAMPLE.COM\r\ndefault_keytab_name = \/usr\/local\/tomcat\/conf\/lisa.rushworth.us.keytab\r\ndefault_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc\r\ndefault_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc\r\npermitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc\r\nforwardable=true\r\n\r\n[realms]\r\nRUSHWORTH.US = {\r\nkdc = exchange01.example.com:88\r\nmaster_kdc = exchange01.example.com:88\r\nadmin_server = exchange01.example.com:88\r\n}\r\n\r\n[domain_realm]\r\nexample.com= EXAMPLE.COM\r\n.example.com= EXAMPLE.COM\r\n<\/pre>\n
In web.xml – Roles may need to be sorted around (I’m not much of a TomCat person, LMGTFY if you want to do something with roles). Either way, the realm needs to be changed to yours<\/p>\n
<realm-name>EXAMPLE.COM<\/realm-name>\r\n<\/pre>\n
Once Docker is running and the files are updated with your domain info, install the tomcat:8.0 image from the default repository. Start the container mapping all of the custom config files where they go:<\/p>\n
docker run -detach --publish 8080:8080 --name tomcat8 --restart always -v \/c\/docker\/tomcat8\/tomcat-users.xml:\/usr\/local\/tomcat\/conf\/tomcat-users.xml:ro -v \/c\/docker\/tomcat8\/lisa.example.com.keytab:\/usr\/local\/tomcat\/conf\/lisa.example.com.keytab:ro -v \/c\/docker\/tomcat8\/krb5.conf:\/usr\/local\/tomcat\/conf\/krb5.conf:ro -v \/c\/docker\/tomcat8\/jaas.conf:\/usr\/local\/tomcat\/conf\/jaas.conf:ro -v \/c\/docker\/tomcat8\/web.xml:\/usr\/local\/tomcat\/webapps\/examples\/WEB-INF\/web.xml:ro -v \/c\/docker\/tomcat8\/context.xml:\/usr\/local\/tomcat\/webapps\/examples\/WEB-INF\/context.xml:ro -v \/c\/docker\/tomcat8\/logging.properties:\/usr\/local\/tomcat\/conf\/logging.properties:ro -v \/c\/docker\/tomcat8\/spnego-r9.jar:\/usr\/local\/tomcat\/lib\/spnego-r9.jar:ro -v \/c\/docker\/tomcat8\/login.conf:\/usr\/local\/tomcat\/conf\/login.conf:ro -v \/c\/docker\/tomcat8\/testAuth.jsp:\/usr\/local\/tomcat\/webapps\/examples\/testAuth.jsp:ro tomcat:8.0\r\n<\/pre>\n
A couple of useful things about Docker — the container ID is useful<\/p>\n
C:\\docker\\tomcat8>docker ps\r\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\r\n4e06b32e1ca8<\/strong> tomcat:8.0 \"catalina.sh run\" 12 minutes ago Up 12 minutes 0.0.0.0:8080->8080\/tcp, 0.0.0.0:8888->8080\/tcp tomcat8\r\n<\/pre>\n
But most commands seem to let you use the ‘friendly’ name you ascribed to the container. Running “docker inspect” will give you details about the container – including its IP address. I’ve found different images use different settings: some map to localhost on my box, some get an IP address within my DHCP range.<\/p>\n
C:\\docker\\tomcat>docker inspect tomcat8 | grep IPAddress\r\n\"SecondaryIPAddresses\": null,\r\n\"IPAddress\": \"172.17.0.2\",\r\n\"IPAddress\": \"172.17.0.2\",\r\n<\/pre>\n
Since this is an image that maps to localhost on my box, I need the lisa.example.com hostname to resolve to my laptop’s IP address. For simplicity, I did this by editing the c:\\windows\\system32\\drivers\\etc\\hosts file.<\/p>\n
Shell into the container:<\/p>\n
docker exec -it tomcat8 bash\r\n<\/pre>\n
Update your packages and install the kerberos client utilities:<\/p>\n
root@4e06b32e1ca8:\/usr\/local\/tomcat\/conf# apt-get update\r\nroot@4e06b32e1ca8:\/usr\/local\/tomcat\/conf# apt-get install krb5-user\r\n<\/pre>\n
Then test that your keytab is working:<\/p>\n
root@4e06b32e1ca8:\/usr\/local\/tomcat\/conf# kinit -k -t .\/lisa.example.com.keytab HTTP\/lisa.example.com@EXAMPLE.COM\r\nroot@4e06b32e1ca8:\/usr\/local\/tomcat\/conf# klist\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: HTTP\/lisa.example.com@EXAMPLE.COM\r\n\r\nValid starting Expires Service principal\r\n07\/08\/2017 18:27:38 07\/09\/2017 04:27:38 krbtgt\/EXAMPLE.COM@EXAMPLE.COM\r\nrenew until 07\/09\/2017 18:27:38\r\n<\/pre>\n
Assuming you don’t get errors authenticating using the Kerberos client utilities, try accessing the TomCat site. I’ve added a testAuth.jsp file to the examples webapp – it shows the logon method, user name, and what roles they have:<\/p>\n
\"\"<\/a><\/p>\n