Service account authentication problem

Sep 11, 2010 at 8:35 AM

Hi,

While running tomcat service as Local System account,NTLM authentication works,able to get remote user details.But configuring tomcat with Service account username and password,popup for User credentials.The service account username is registered with valid AD account setup.Can you please assist me..?

Thanks

Babu

Coordinator
Sep 12, 2010 at 10:00 AM

Hello,

The browser wants to be authenticated by the service. But it does not know the name of the account used by the service. So the browser uses the Service Principal Name (HTTP/youservername) to request a service Ticket to the Ticket granting Service (domain controller). The browser send this ticket to tomcat. But this ticket can be only decrypted by the account associated with this SPN in AD.  

You can use setspn.exe to find the Service Principal Name (SPN) of an account.

By default, the acounts of the computers have HOST/nameoftheserver as SPN, and the two accounts SYSTEM and Network Service are binded to the account of the server on Active Directory. If there is no SPN HTTP/nameoftheserver in AD, HOST/nameoftheserver is used. So, if you use SYSTEM or Network Service, you can be authenticated.

By default, there is no SPN with an address on AD. So, if you do not use the name of the server but its address in the url, NTLM will be used. 

Network Service is not an administrator. So you can use this account. Of course, you must give the permissions to the tomcat directory to this account. All the service running with this account will have the pemissions of this account on the server. So, since Vista (Vista, Seven, 2008, 2008 R2), you can use a Sid by service. To define this SID, you can use the command SC.exe (http://blogs.technet.com/b/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx or http://blogs.technet.com/b/voy/archive/2007/03/22/per-service-sid.aspx) .

With Windows 2003, you cannot use the SID per Service. But you can use Network service.

You can also define another account in AD. Tomcat will be running with this account, but is not associated with the SPN. So you must, in this case add a SPN (HTTP/nameofyourserver) to this account with the command setspn.exe . In this case, the SPN HOST/nameofyourserver is no more used by AD with http or https.  But if there is more than on account with SPN HTTP/nameof your server, the Kerberos authentication does not wok.

You have example with setpn.exe in the file configure.txt

Dominique

 

  

Sep 13, 2010 at 8:27 PM

Thanks Dominique,

It's Worked with NegoServer configuration.One more doubt with cross domain.Now i have deployed with DOMAIN-A ,when users comes from DOMAIN-A they gets authenticated.But users from another domain like DOMAIN-B,they gets 401 unauthorized error.Can you please address this issue?I need any extra configuration?

 

Thanks

Babu

Coordinator
Sep 15, 2010 at 8:00 PM

Hello,

When you use tcp, Tomcat does not authenticate the client, it is Negserver. So, tomcat can be running with another account. But Negoserver must be running with SYSTEM or Network Service. If you use another account for Negoserver, you must define the attribute Service Principal Name  of this account.

Can you send on a new issue tracker the file web.xml of your application tomcat? Can you log tomcat and send logs/catalina.log  from t in the directory where tomcat is installed? To do that, read the file example/HowTo.txt from the file trunk***.zip.

Dominique

Coordinator
Sep 16, 2010 at 7:04 AM

Hello,

Is there a trust relationship between the two domains? Are they on the same forest?

When you use Negoserver, the java classes get the ticket sent by the client. After, this ticket is sent to the class NegotiateStream of the dotnet Framework. And Negoserver send the result to the java classes. So, a priori, you can use many domains of the same forest.

I will install a lab with two domains. 1)da.net with a domain controller dca and 2)db.da.net with dcb. The web server will be webserver.da.net and a client client.db.da.net. To create this lab take time. Do not forget to send the logs. You can also add the logs of Negoserver.

Dominique  

Coordinator
Sep 30, 2010 at 4:37 PM

Hello

tomcatspnego works with many domains

I created a lab with two domains.

I have a first domain test.net with kdctest.test.net as the domain controller, and tomcatserver.test.net . Tomcatserver.test.net is a member of the domain test.net. The server kdctest.test.net is also the DNS server
The second domain is client.test.net with kdcclient.client.test.net as a domain controller and browsers.client.test.net. the computer browser.client.test.net is member of client.test.net.

On tomcatserver, I installed tomcat as a service, dotnet2 SP2, and the service Negoserver. I added the application authbysspiv2 and copied the file frdoumesspitc6v2.jar in the lib directory of tomcat

I created the account spnegoclient on the domain client.test.net. I connected to the server client.test.net with this account. After the configuration of IE,  I queried http://tomcatserver.test.net/authbysspiv2/index.jsp and was authenticated.

Dominique