[EXTERNAL] Spnego to Tomcat Fronted by Apache

Nebergall, Christopher cneberg at sandia.gov
Wed Feb 6 10:18:36 EST 2013 

I haven't tested that configuration but it should work.   Is apache webserver on the same system as tomcat?   If not, then the client may be requesting the wrong key - and you could end up attempting the wrong key or NTLM rather than Kerberos.   You can set up wireshark at each of the hops to verify.   (decode the base64 of the spnego token - it will be much shorter than a Kerberos token  less than 100 characters for NTLM vs 1000's for Kerberos spnego and be prefixed with NTLM after the decode if it is NTLM.

Otherwise a common problem is the header size of your spnego token is too big for apache, tomcat or the connector.

I would think you would see some errors in your apache or tomcat logs about the header being too big/invalid request but here is everywhere in tomcat and apache you can try and tweak the max header size to see if it helps (not all of these will be required.)


Fixes for Tomcat

$CATALINA_HOME/conf /server.xml -> add a packetSize and MaxHttpHeaderSize parameters


<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" packetSize="20000" tomcatAuthentication="true" />


<Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1" maxHttpHeaderSize="20000"
               connectionTimeout="20000"
               redirectPort="8443" />


$CATALINA_HOME/conf/jk/workers.properties
#-------DEFAULT ajp13 WORKER DEFINITION-------------------------
worker.ajp13.max_packet_size=20000



Fix for apache:
http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
LimitRequestFieldSize 20000

You might to do this for the specific virtual server and not just in the general configuration.

You can do this in older versions of apache 1.3 and 2.x but there is some built in limit you can't go over without recompiling apache - and it's not obvious you passed the limit from the logs.

-Christopher

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Bram Cymet
Sent: Tuesday, February 05, 2013 6:09 PM
To: kerberos at mit.edu
Subject: [EXTERNAL] Spnego to Tomcat Fronted by Apache

Hi,

I am trying to get OpenAM working with kerberos authentication using Spnego.

OpenAM runs in a tomcat container. SPNEGO works perfectly if I expose the tomcat connector directly. However if I put apache in front of tomcat either with mod jk or a proxypass to the ajp connector then the token is not being passed properly and tomcat reports a 401 error saying This request requires HTTP authentication ().

So I am wondering if anyone has ever passed SPNEGO through apache to tomcat and if so how? Or maybe this isn't even possible.

Thanks,

--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list