Tomcat SPNEGO authentication against Active Directory not working

Question

I'm trying to authenticate against AD using the http://spnego.sourceforge.net component with tomcat.

I've created my SPN's "setspn.exe -A HTTP/servername SVCTomcat" & "setspn.exe -A HTTP/servername.fqdn.net SVCTomcat"

I've created my krb5.conf & login.conf file and setup the filter in the web.xml ie.

<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
    <param-name>spnego.allow.unsecure.basic</param-name>
    <param-value>false</param-value>
    <param-name>spnego.login.client.module</param-name>
    <param-value>spnego-client</param-value>
    <param-name>spnego.krb5.conf</param-name>
    <param-value>krb5.conf</param-value>
    <param-name>spnego.login.conf</param-name>
    <param-value>login.conf</param-value>
    <param-name>spnego.preauth.username</param-name>
    <param-value>SVCTomcat</param-value>
    <param-name>spnego.preauth.password</param-name>
    <param-value>Pasword</param-value>
    <param-name>spnego.login.server.module</param-name>
    <param-value>spnego-server</param-value>
    <param-name>spnego.prompt.ntlm</param-name>
    <param-value>false</param-value>
    <param-name>spnego.logger.level</param-name>
    <param-value>2</param-value>

Note i've stripped extraneous tags from this, so it's not the actual XML.

When i go to a page protected by this filter i get this in the catalina logfile. 25-Mar-2010 12:41:26 org.apache.catalina.startup.Catalina start INFO: Server startup in 4615 ms 25-Mar-2010 12:41:47 net.sourceforge.spnego.SpnegoHttpFilter doFilter FINE: principal=SYSTEM@TESTDOMAIN

And in the hello_spnego.jsp example on the website it just reports the name of the user tomcat is running as (SYSTEM), not the user i'm connecting with.

It seems the author stopped halfway through his debugging page, so i've no areas to look in other than to triple check my config.

Any ideas?

score 0 · Accepted Answer · answered Apr 06 '10 at 21:42

Assuming you are using a web browser running on the same machine as Tomcat to hit the hello_spnego.jsp page, here is what I imagine is going on:

You aren't setting the SpnegoHttpFilter configuration parameter "spnego.allow.localhost".
While the reference guide for the filter (http://spnego.sourceforge.net/reference_docs.html) states that this setting defaults to false, a perusal through the source code (SpnegoFilterConfig.java line 80) indicates this parameter defaults to true.
When this parameter is set to true the SpnegoHttpFilter will bypass authentication and instead just set the authenticated principal to the user account Tomcat is running under. This is why you are getting the “SYSTEM@TESTDOMAIN” result.

If my initial assumption is correct, try hitting the hello_spnego.jsp page from a remote machine and it should perform the actual authentication. (You may need to enable Kerberos authentication for your browser.)

Note that the filter author is active on answering questions via the SourceForge project forums at http://sourceforge.net/projects/spnego/forums/

Tomcat SPNEGO authentication against Active Directory not working

1 Answers1