[EXTERNAL] Spnego to Tomcat Fronted by Apache
Douglas E. Engert
deengert at anl.gov
Wed Feb 6 10:41:04 EST 2013
On 2/6/2013 9:18 AM, Nebergall, Christopher wrote:
> I haven't tested that configuration but it should work. Is apache webserver on the same system as tomcat? If not, then the client may be requesting the wrong key - and you could end up attempting the wrong key or NTLM rather than Kerberos. You can set up wireshark at each of the hops to verify. (decode the base64 of the spnego token - it will be much shorter than a Kerberos token less than 100 characters for NTLM vs 1000's for Kerberos spnego and be prefixed with NTLM after the decode if it is NTLM.
>
> Otherwise a common problem is the header size of your spnego token is too big for apache, tomcat or the connector.
If it is a ticket size problem, and the KDC is AD and see:
http://support.microsoft.com/kb/832572
to not get a PAC in the ticket.
>
> I would think you would see some errors in your apache or tomcat logs about the header being too big/invalid request but here is everywhere in tomcat and apache you can try and tweak the max header size to see if it helps (not all of these will be required.)
>
>
> Fixes for Tomcat
>
> $CATALINA_HOME/conf /server.xml -> add a packetSize and MaxHttpHeaderSize parameters
>
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" packetSize="20000" tomcatAuthentication="true" />
>
>
> <Connector executor="tomcatThreadPool"
> port="8080" protocol="HTTP/1.1" maxHttpHeaderSize="20000"
> connectionTimeout="20000"
> redirectPort="8443" />
>
>
> $CATALINA_HOME/conf/jk/workers.properties
> #-------DEFAULT ajp13 WORKER DEFINITION-------------------------
> worker.ajp13.max_packet_size=20000
>
>
>
> Fix for apache:
> http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
> LimitRequestFieldSize 20000
>
> You might to do this for the specific virtual server and not just in the general configuration.
>
> You can do this in older versions of apache 1.3 and 2.x but there is some built in limit you can't go over without recompiling apache - and it's not obvious you passed the limit from the logs.
>
> -Christopher
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Bram Cymet
> Sent: Tuesday, February 05, 2013 6:09 PM
> To: kerberos at mit.edu
> Subject: [EXTERNAL] Spnego to Tomcat Fronted by Apache
>
> Hi,
>
> I am trying to get OpenAM working with kerberos authentication using Spnego.
>
> OpenAM runs in a tomcat container. SPNEGO works perfectly if I expose the tomcat connector directly. However if I put apache in front of tomcat either with mod jk or a proxypass to the ajp connector then the token is not being passed properly and tomcat reports a 401 error saying This request requires HTTP authentication ().
>
> So I am wondering if anyone has ever passed SPNEGO through apache to tomcat and if so how? Or maybe this isn't even possible.
>
> Thanks,
>
> --
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> 613-608-9752
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list