1 Reply Latest reply on Aug 11, 2016 6:31 PM by aladen

    Kerberos Auth  (to Active directory) with ORDS/APEX and tomcat still giving me a 401

    aladen

      Hi All.

       

      Following the famous Windows Integrated Authentication - HOWTO But keep getting a HTTP 401 Requires authentication error.

      Apache tomcat 7.0.70

      Apex 5.0.3

      Ords 3.0.6

      Solaris 11 zone.

       

      After lots of acrobatics with keytab files. (The doc should mention that the realm name needs to be capitalized in the principal in step 5 when creating the keytab file. to avoid a "KDC reply did not match expectations for client ...  lower-case detected in realm 'company.lan' while getting initial credentials)

       

      I made it past the checkpoints in step 7 and 8. (note, to test with a krb5.conf file in a non-default location, you can set the environment variable KRB5_CONFIG to the full path to the file you want to use. So you can test with the same krb5.conf file that you will be creating in step 10.) We use centrify for authentication on the server itself, so I didnt want to mess with the centrify created. krb5.conf file.

       

      Turned up logging in tomcat. As far as I can tell, it is making the connection to the KDC. The logs ends with a message about finding a ticket for my principal and entered STATE_NEW, which given no other hints looks ok to me.

      Looking for keys for: HTTP/testhost.company.lan@COMPANY.LAN

      Added key: 23version: 5

      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

      >>> KrbAsRep cons in KrbAsReq.getReply HTTP/testhost.company.lan

      Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)

      Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)

      Found KeyTab /opt/tomcat/tomcat/tomcat.keytab for HTTP/testhost.company.lan@COMPANY.LAN

      Found KeyTab /opt/tomcat/tomcat/tomcat.keytab for HTTP/testhost.company.lan@COMPANY.LAN

      Found ticket for HTTP/testhost.company.lan@COMPANY.LAN to go to krbtgt/COMPANY.LAN@COMPANY.LAN expiring on Wed Jul 27 19:38:14 EDT 2016

      Entered Krb5Context.acceptSecContext with state=STATE_NEW

      Looking for keys for: HTTP/testhost.company.lan@COMPANY.LAN

      Added key: 23version: 5

       

      Then nothing else in the logs. I assume it fails the kerberos auth, then gives me the form and then the basic auth pop-up windows. try my login on all of them, then get the 401 screen.

       

      Am I making the connection to the KDC correctly? Any other ideas of where I should look? partlycloudy ?

       

      Thanks

      Andrew

       

      Side note, Why doesn't the "About" page show up on the Internal workspace. Its annoying to have to change workspaces to see the REMOTE_USER value.