Using negoserver with Kerb authentication

Apr 25, 2014 at 12:42 PM
Hi,

I am trying to add Kerb authentication into an old Tomcat 5.5 environment!

I am using negoserver, running as "local system" account. I have amended Negoserver.exe.config to uncomment the "onlykerberos" option.

Eventually, I would like to get this working with the server's DNS alias, but for now I am using the server's name.

The problem is, when accessing http://myserver/authbysspitcp/ I get a 401 (This request requires HTTP authentication ()) message

I have used the Microsoft utility "Klist" to purge kerb tickets before accessing the URL, and list them afterwards, and there does seem to be a ticket getting created correctly, called something like HTTP/myserver.my.domain.

The negoserver log is recording entries like these:
Server Verbose: 4986 : To a new request with a new connection TCP
    DateTime=2014-04-25T11:18:14.1490000Z
Server Verbose: 4986 : Before TranslationOrAuthenticate
    DateTime=2014-04-25T11:18:14.1490000Z
State Verbose: 4986 : Buf len : 1
    DateTime=2014-04-25T11:18:14.1646250Z
State Verbose: 4986 : Buf remaining 1
    DateTime=2014-04-25T11:18:14.1802500Z
Server Verbose: 4986 : In TranslationOrAuthenticate
    DateTime=2014-04-25T11:18:14.1958750Z
Server Verbose: 4986 : Buffer.length 1
    DateTime=2014-04-25T11:18:14.1958750Z
Server Verbose: 4986 : ConnectionType.AuthenticationAndInformIfAuthenticatedUser
    DateTime=2014-04-25T11:18:14.1958750Z
State Verbose: 4986 : A security requirement was not fulfilled during authentication. Required: None, negotiated: EncryptAndSign.    at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.NegotiateStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
   at httpToNegotiateStream.State.AuthenticateAsServerContinue(IAsyncResult ar) in c:\Users\dominique\Documents\doc\Visual Studio 2012\Projects\Negoserver\Negoserver\NegoServer.cs:line 1866
    DateTime=2014-04-25T11:18:14.3833750Z
Is this clear? I am sure I have forgotten to do something pretty basic..... Hope you can help
Coordinator
May 5, 2014 at 11:11 AM
Hello,
You use tomcat 5.5.
Is tomcat running on Windows? Is tomcat running on the same computer?

Try first without the parameter onlykerberos. I thinkk that NTLM is used by the browser.


If tomcat is running on Unix and you want to use Kerberos, you must add a Service Principal Name to the account used by negoserver.
Your service Negoserver is running as SYSTEM. In this case, you must add a service Principal name to the account of the computer where Negoserver is running.

For instance, if the name of the computer where Negoserver is running is NegoComputer, add the spn http/myservertomcatdnsname to the account NegoComputer on Active Directory.

Dominique
May 7, 2014 at 11:57 AM
Thanks Dominique - it appears to be working now, I think I broke the web.xml somehow. Finger's crossed
Jul 28, 2015 at 1:30 PM
JaimieHolland,

do you know what fixed this problem?
I'm facing the same ;-)
Jul 28, 2015 at 4:36 PM
Sorry, I don't recall this issue at all. I ended up using http://spnego.sourceforge.net/