Single sign-on with W2K, IE 6.1 and JGSS

Anupama Turlapati anupama at attbi.com
Sat Sep 21 00:59:51 EDT 2002 

Hello all,

I have been trying to achieve single sign-on with IE 6.1 on Win2k systems.
Basically, trying to emulate IIS and IE kerberos auth exchange. In my case
the server happens to be Tomcat.
IIS and IE exchange GSSAPI token using SPNEGO mechanism. IIS sets HTTP
header "WWW-Authenticate:" to "Negotiate". IE responds with HTTP Header
"Authorization:" set to "Negotiate b64[gssapi-token]".
Exchange goes on until gss context is established.

My setup is as follows:

Server
-------
1. Solaris 2.6
2. Tomcat Servlet Engine
3. JDK 1.4.1 JGSS
4. Login configuration
    com.sun.security.jgss.accept = {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true keyTab="/etc/krb5/v5srvtab" storekey=true
principal="HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COM";};
5. create /etc/krb5/krb5.conf
6. Create W2K KDC user principal "dlsun685", trusted for delegation, use des
encryption
7. ktpass -princ HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COM -pass
welcome -mapuser dlsun685 -out v5srvtab
8. copy v5srvtab to (dlsun685:/etc/krb5)
9. Coded $TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/SnoopServlet.java. This
uses JGSS to frame gss tokens.

Client
-------
1. Win2k
2. IE 6.1
3. URL : http://dlsun685.us.oracle.com:8080/servlet/SnoopServlet

Servlet is able to access keytab and get creds [output follows]

>Getting creds for HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COM
>Debug is  true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is
>KeyTab is /etc/krb5/v5srvtab principal is HTTP/dlsun685.us.oracle.com
tryFirstPass is false
>useFirstPass is false storePass is false clearPass is false
>principal's key obtained from the keytab
>principal is HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COM
>Added server's keyKerberos Principal
HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COMKey Version 1key
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 52 0D D9 9D 61 C8 E6 7A
> [Krb5LoginModule] added Krb5Principal
HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COM to Subject
>Commit Succeeded

But when I pass the gss token from IE into acceptSecContext() it raises an
exception [stack trace follows]

2002-09-20 09:46:41 - Ctx(  ): Exception in: R(  + /servlet/SnoopServlet +
null) - javax.servlet.ServletException: 1.3.6.1.5.5.2 usage: Accept
        at SnoopServlet.doGet(SnoopServlet.java:127)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
        at org.apache.tomcat.core.Handler.service(Handler.java:286)
        at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
        at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:79
7)
        at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
        at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC
onnectionHandler.java:210)
        at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
        at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
        at java.lang.Thread.run(Thread.java:536)
Root cause:
GSSException: 1.3.6.1.5.5.2 usage: Accept
        at
sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:481)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:282)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
        at SnoopServlet.gssAuthenticate(SnoopServlet.java:78)
        at SnoopServlet.doGet(SnoopServlet.java:117)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
        at org.apache.tomcat.core.Handler.service(Handler.java:286)
        at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
        at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:79
7)
        at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
        at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC
onnectionHandler.java:210)
        at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
        at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
        at java.lang.Thread.run(Thread.java:536)

Finally, on win2k client cache i see a service tkt for
HTTP/dlsun685.us.oracle.com at ASO-NT50.US.ORACLE.COM of type DES-CBC-MD5.

Any ideas why this is happening? Also, is jgss implementation on Solaris
based on Sun GSSAPI C implementation? Is SSPI different from GSSAPI?

/T$R
(Ramana Turlapati)

More information about the Kerberos mailing list