1 2 Previous Next 28 Replies Latest reply on Nov 20, 2015 4:33 PM by Raviteja Go to original post
      • 15. Re: Re: Windows Integrated Authentication - HOWTO
        partlycloudy

        Perhaps the message Found unsupported keytype (3) is the issue. As per this thread, it appears to be related to a mismatch between the encryption protocols supported by the client & the Windows server. See Step #8 for how to get th list of encryption protocols supported. Step #10 shows where/how they are specified in the krb5.conf file. Finally, Step #11 shows how you can bump up various log levels (e.g. JAVA_OPTS, Tomcat logging in logging.properties, I found that changing org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level from INFO to FINEST produced an enormous amount of logging in the Tomcat, hopefully that points you in the right direction. Good luck.

        • 16. Re: Windows Integrated Authentication - HOWTO
          Wannderer

          Hi VANJ,

           

          I am following your tutorial, but myTomcat server is on Windows.

          Up to step #8, the sanity test works.

          But when I finish the steps and try to connect to my server, I have a domain login-prompt and nothing happens after that even if I put my login information.

          Here is what I have in my tomcat logs after the connection.

           

          Thanks for your help

           

          Sebastien

           

          Looking for keys for: HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 17version: 0
          Found unsupported keytype (18) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 23version: 0
          Found unsupported keytype (3) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found unsupported keytype (1) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Looking for keys for: HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 17version: 0
          Found unsupported keytype (18) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 23version: 0
          Found unsupported keytype (3) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found unsupported keytype (1) for HTTP/tomcat01.domain.com@DOMAIN.COM
          default etypes for default_tkt_enctypes: 23 17.
          >>> KrbAsReq creating message
          >>> KrbKdcReq send: kdc=mtldc1.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=154
          >>> KDCCommunication: kdc=mtldc1.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=154
          >>> KrbKdcReq send: #bytes read=196
          >>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPtomcat01.domain.com, s2kparams = null
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

          >>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
          >>>Pre-Authentication Data:
            PA-DATA type = 16

          >>>Pre-Authentication Data:
            PA-DATA type = 15

          >>> KdcAccessibility: remove mtldc1.domain.com:88
          >>> KDCRep: init() encoding tag is 126 req type is 11
          >>>KRBError:
            sTime is Fri Sep 18 09:50:08 EDT 2015 1442584208000
            suSec is 963898
            error code is 25
            error Message is Additional pre-authentication required
            sname is krbtgt/DOMAIN.COM@DOMAIN.COM
            eData provided.
            msgType is 30
          >>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPtomcat01.domain.com, s2kparams = null
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

          >>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
          >>>Pre-Authentication Data:
            PA-DATA type = 16

          >>>Pre-Authentication Data:
            PA-DATA type = 15

          KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
          default etypes for default_tkt_enctypes: 23 17.
          Looking for keys for: HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 17version: 0
          Found unsupported keytype (18) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 23version: 0
          Found unsupported keytype (3) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found unsupported keytype (1) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Looking for keys for: HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 17version: 0
          Found unsupported keytype (18) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 23version: 0
          Found unsupported keytype (3) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found unsupported keytype (1) for HTTP/tomcat01.domain.com@DOMAIN.COM
          default etypes for default_tkt_enctypes: 23 17.
          >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
          >>> KrbAsReq creating message
          >>> KrbKdcReq send: kdc=mtldc1.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=241
          >>> KDCCommunication: kdc=mtldc1.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=241
          >>> KrbKdcReq send: #bytes read=1464
          >>> KdcAccessibility: remove mtldc1.domain.com:88
          Looking for keys for: HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 17version: 0
          Found unsupported keytype (18) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 23version: 0
          Found unsupported keytype (3) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found unsupported keytype (1) for HTTP/tomcat01.domain.com@DOMAIN.COM
          >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
          >>> KrbAsRep cons in KrbAsReq.getReply HTTP/tomcat01.domain.com
          Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
          Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
          Found KeyTab c:\AppServer\Tomcat8\conf\tomcat01.keytab for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found KeyTab c:\AppServer\Tomcat8\conf\tomcat01.keytab for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found ticket for HTTP/tomcat01.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Fri Sep 18 19:50:08 EDT 2015
          Entered Krb5Context.acceptSecContext with state=STATE_NEW
          Looking for keys for: HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 17version: 0
          Found unsupported keytype (18) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Added key: 23version: 0
          Found unsupported keytype (3) for HTTP/tomcat01.domain.com@DOMAIN.COM
          Found unsupported keytype (1) for HTTP/tomcat01.domain.com@DOMAIN.COM

          • 17. Re: Windows Integrated Authentication - HOWTO
            partlycloudy

            I see some errors in the debug, maybe you can google them but if you are running Tomcat on Windows, I highly recommend the alternate deployment option I described further on in the thread. The advantage of that configuration is that IIS handles the authentication so you don't have to worry about Kerberos, keytabs and all that stuff, you get it for free with Windows & IIS. Good luck.

            • 18. Re: Windows Integrated Authentication - HOWTO
              rwendel

              For others who have more say or pull over their environment, might I recommend instead of looking at NTLM for AD authentication, using ADFS through mod_shib would be much easier for Apache httpd -> Apache Tomcat -> ORDS -> Apex.

               

              Even still, before a non-OHS option was available, I actually had written a custom 'in app' authenticator for APEX apps against ADFS in an authentication scheme [pl/sql and java]. It pulls from any fields in the SAML2 document. One caveat is the XML digital signature was easier to confirm in Java, so I have an AQ listener program to just confirm the digital signature before the document is trusted. Anyone who would like more info on either technique I am happy to share some of the specifics. I just don't like doing blog posts no one cares about.

              • 19. Re: Windows Integrated Authentication - HOWTO
                Tony Kirn-Oracle

                Greetings and thank you very much for the detailed steps. I wanted to clarify if the following line in step 9 for the web.xml was correct:

                 

                <url-pattern>*</url-pattern>

                 

                Should this be instead:

                 

                <url-pattern>/*</url-pattern>

                 

                I get a resource not found error if I don't use the / before the *.

                 

                Also do you have any advice or steps on how to get the authentication working as HTTPS?

                • 20. Re: Windows Integrated Authentication - HOWTO
                  Raviteja

                  Hi Sebastien,

                                      Did you get it to work?

                   

                  I'm using the alternate configuration suggested by Vanj, ie  IIS+Tomcat+ORDS.

                  Everything works till step 8 and I can login to Apex using http:/myhost/ords or http:/myhost/ords/apex_admin.

                  When I go to APEX > Administration > About > CGI variables, the REMOTE_USER is showing APEX_PUBLIC_USER.

                            What else I need to configure on IIS and Apex to see domain user?

                  Thank you

                  • 21. Re: Windows Integrated Authentication - HOWTO
                    apt123

                    This has made my day!  I added the /, and after looking at a brick wall for a week, i'm on to the next error, spnegoAuthenticator Unable to login" !!!  This is a excellent post. thankyou.

                    • 22. Re: Windows Integrated Authentication - HOWTO
                      partlycloudy

                      You are right, my mistake. The URL patterns should indeed be /*. I corrected this in my original post. One of the reference links I posted goes into a lot more detail on this topic.

                       

                      Using TLS /HTTPS would involve setting up SSL certificates on the web server. I have done this with the IIS/Tomcat configuration. It's pretty straight forward Nothing specific to Tomcat/ORDS really, just basic IIS configuration.

                      • 23. Re: Re: Windows Integrated Authentication - HOWTO
                        partlycloudy

                        Step 7 - Edit Tomcat's server.xml and add address=127.0.0.1 tomcatAuthentication=false to the AJP  Connector port=8009. This instructs Tomcat to a) accept AJP requests only on the local loopback interface and b) use the authenticated IIS request instead of attempting to do its own authentication.

                         

                        Raviteja - Are you sure you did Step 7, quoted above?

                        • 24. Re: Windows Integrated Authentication - HOWTO
                          Raviteja

                          Vanj,

                                    Thank you so much for the reply, I salute you for putting together this detail thread.

                           

                          There is one change in my environment from the steps you've listed. I've used boncode iisconnector downloaded from "tomcatiis.riaforge.org" as I could not access/download the connector from my work. How ever, this connector used same ports and everything.

                           

                          Yes, I did change server.xml as you've mentioned in step 7, here is that part from my server.xml.

                           

                             <!-- Define an AJP 1.3 Connector on port 8009 -->

                               <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
                             address="127.0.0.1"
                             tomcatAuthentication="false"
                              />

                            I get an error with that change, I'm uploading the screenshot. If I take that out, I can login using regular apex username and password.

                          iis_tomcat_error.png

                          Thank you so much for your time.

                          • 25. Re: Windows Integrated Authentication - HOWTO
                            partlycloudy

                            I don't know anything about this Boncode connector. I used the "official" IIS connector from the Apache website and described the steps I took to get it working. Your error seems to indicate that port 8009 is not accepting connections. Check your Tomcat logs to see if everything started up correctly. Sorry, but there are too many moving parts for me to remotely diagnose your environment. Good luck.

                            • 26. Re: Windows Integrated Authentication - HOWTO
                              Raviteja

                              Hi Vanj,

                                            Thank you so much for your reply, I'm only getting error when I add address="127.0.0.1" tomcatAuthentication="false"  in the server.xml, if I take that out, I'm able to log in with apex authentication from IIS. I'll take that connector out and try with the one you've specified.

                               

                              I apologize, this may be a dumb question, do I need to follow steps 9 and 10 from your original post before I get this to work in my case (alternate configuration IIS+Tomcat_ORDS).

                                 I got the error after step 8 and stuck, but if I need to complete 9 and 10 before I can test, I will complete those and give it a try.

                               

                              Thank you

                              • 27. Re: Windows Integrated Authentication - HOWTO
                                partlycloudy

                                Sorry, I can't explain why adding those 2 parameters causes the error. address=127.0.0.1 restricts connects to the specified port to the local loopback interface, you can try taking it out to see if it changes anything. tomcatAuthentication=false is critical to this setup since it instructs Tomcat to skip its own authentication and re-use the authentication tokens from the IIS HTTP request.

                                 

                                No, the two configuration options described in my original post and the follow-up post are completely independent of each other. The former uses Tomcat's native features (i.e. SpnegoAuthenticator valve in conjunction with the JAAS realm) to perform Kerberos negotiation. The latter uses IIS native features (Windows integrated authentication).

                                • 28. Re: Windows Integrated Authentication - HOWTO
                                  Raviteja

                                  Vanj,

                                             Thank you so much for the clarification. Going back now to install the connector from your link.

                                   

                                  Will update.

                                  1 2 Previous Next