how to specify target AD domain for authentication?

Dec 28, 2010 at 10:30 AM
Edited Dec 28, 2010 at 12:15 PM

Hello.

Kudos, dblock, on a great little gadget.  I spent a day and a half trying to use IIS as an NTLM authentication front end for my Tomcat app and still didn't have what I needed (getRemoteUser() and getUserPrincipal() both returning null no matter what I did). 

But in half an hour I had the waffle-negotiate sample running and doing exactly what I need.

Well, almost exactly what I need.  As I said, I have the waffle-negotiate sample working.  But it only authenticates users in the SAM of the machine it is running on.  In other words, for it to allow a logon the account must be a local account on the server that I am running Tomcat on, and it rejects any login attempts using accounts in the Active Directory domain that the server is a member of.

So, am I missing a configuration thingy?  For example, is there someplace that I must specify what the names of my AD domain controllers are?  Or must there be a role specified in web.xml of the nature <domain>\Everyone or <domain>\<group>?  Right now alls I have in there is Everyone (with no domain prefix).

Thanks in advance for your help.

Oh and it's great that you're out there answering our questions too.

John

Here's a little more info - with verbose logging enabled I am getting this when a domain user first connects with her browser to the waffle-negotiate app, before typing anything into any login dialog...


28.12.2010 14:00:19 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:00:19 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: <none>, ntlm post: false
28.12.2010 14:00:19 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization required
28.12.2010 14:00:19 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:00:19 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: Negotiate YIIQngYGKwYBBQUCoIIQkjCCEI6gMDAuBgkqhkiC9xIBAgIGC
   <...truncated by author...>
LdVDV4HD5btfD5Eh1y7RuDbUwxwng==, ntlm post: false
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: security package: Negotiate, connection id: 10.243.16.225:63403
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: token buffer: 4258 byte(s)
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue required: true
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue token: oXsweaADCgEBoQsGCSqGSIL3EgECAqJlBGNgYQYJKoZIhvcSAQICAwB+Uj
BQoAMCAQWhAwIBHqQRGA8yMDEwMTIyODEzMDAyMFqlBQIDAZ4CpgMCASmpDxsNRVUuU0NPUi5MT0NBTK
oUMBKgAwIBAaELMAkbB2NoYXRqZmk=
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: Negotiate oYIQZTCCEGGgAwoBAaKCEFgEghBUYIIQUAYJKoZIhvcSAQICA
   <...truncated by author...>
8N35lviekwZ7mkoacHDtSLwq2rba0nCCg==, ntlm post: false
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: security package: Negotiate, connection id: 10.243.16.225:63403
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: token buffer: 4201 byte(s)
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue required: true
28.12.2010 14:00:20 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue token: oW4wbKADCgEBomUEY2BhBgkqhkiG9xIBAgIDAH5SMFCgAwIBBaEDAgEepB
EYDzIwMTAxMjI4MTMwMDIwWqUFAgMCMsmmAwIBKakPGw1FVS5TQ09SLkxPQ0FMqhQwEqADAgEBoQswCR
sHY2hhdGpmaQ==

...at this point the logon dialog pops up on the browser.  So she enters her domain credentials in the format <domain>\<user> and this is in the log...

28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: Negotiate YIIQGQYGKwYBBQUCoIIQDTCCEAmgMDAuBgkqhkiC9xIBAgIGC
 <...truncated by author...>
rrUctYaBzJJ, ntlm post: false
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: security package: Negotiate, connection id: 10.243.16.225:63471
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: token buffer: 4125 byte(s)
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue required: true
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue token: oXsweaADCgEBoQsGCSqGSIL3EgECAqJlBGNgYQYJKoZIhvcSAQICAwB+Uj
BQoAMCAQWhAwIBHqQRGA8yMDEwMTIyODEzMDczMFqlBQIDA9OopgMCASmpDxsNRVUuU0NPUi5MT0NBTK
oUMBKgAwIBAaELMAkbB2NoYXRqZmk=
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: Negotiate oYIP4DCCD9ygAwoBAaKCD9MEgg/PYIIPywYJKoZIhvcSAQICA
 <...truncated by author...>
qB5GtlAFynuYdn4, ntlm post: false
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: security package: Negotiate, connection id: 10.243.16.225:63471
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: token buffer: 4068 byte(s)
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue required: true
28.12.2010 14:07:30 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue token: oW4wbKADCgEBomUEY2BhBgkqhkiG9xIBAgIDAH5SMFCgAwIBBaEDAgEepB
EYDzIwMTAxMjI4MTMwNzMwWqUFAgMEK2amAwIBKakPGw1FVS5TQ09SLkxPQ0FMqhQwEqADAgEBoQswCR
sHY2hhdGpmaQ==

...so now she enters the name and password of a local user from the computer tomcat is running on in the format <computer>\<user>.  The logon succeeds and this is in the log...

28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdA
AAADw==, ntlm post: false
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: security package: Negotiate, connection id: 10.243.16.225:63533
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: token buffer: 40 byte(s)
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue required: true
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue token: TlRMTVNTUAACAAAABAAEADgAAAAVgonilwFPNO5JOUIAAAAAAAAAAJ4Ang
A8AAAABgGwHQAAAA9FAFUAAgAEAEUAVQABABYAQwBIAFYAVABTAFQATwBQAFMANQAwAAQAGgBlAHUALg
BzAGMAbwByAC4AbABvAGMAYQBsAAMAMgBDAEgAVgBUAFMAVABPAFAAUwA1ADAALgBlAHUALgBzAGMAbw
ByAC4AbABvAGMAYQBsAAUAFABzAGMAbwByAC4AbABvAGMAYQBsAAcACAD2U6/ikKbLAQAAAAA=
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: GET /waffle-negotiate/, contentlength: -1
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAABYAFgBYAAAAD
AAMAG4AAAAWABYAegAAABAAEADAAAAAFYKI4gYBsB0AAAAPcQO/14nw+J/AZklxvPNMSGMAaAB2AHQAc
wB0AG8AcABzADUAMAB3AGEAZgBmAGwAZQBaAFIASABEAFMANABSAEUANwAxADUArTib2RIxfCgAAAAAA
AAAAAAAAAAAAAAAdiis1TKpD6BiyhCcEHwtYJF3Ta42bDDxFxPfYTi0DcC7/IK7ILXJOQ==, ntlm po
st: false
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: security package: Negotiate, connection id: 10.243.16.225:63533
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: token buffer: 208 byte(s)
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: continue required: false
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: logged in user: CHVTSTOPS50\waffle (S-1-5-21-3400159852-2872931636-6915362
10-1014)
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: roles: BUILTIN\Administrators, BUILTIN\Users, CHVTSTOPS50\None, CHVTSTOPS5
0\waffle, Everyone, Mandatory Label\High Mandatory Level, NT AUTHORITY\Authentic
ated Users, NT AUTHORITY\NETWORK, NT AUTHORITY\NTLM Authentication, NT AUTHORITY
\This Organization, S-1-1-0, S-1-16-12288, S-1-5-11, S-1-5-15, S-1-5-2, S-1-5-21
-3400159852-2872931636-691536210-513, S-1-5-32-544, S-1-5-32-545, S-1-5-64-10
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
FEIN: session id:4443D451BD2EB24992AAF809F695A049
28.12.2010 14:12:31 waffle.apache.NegotiateAuthenticator authenticate
INFO: successfully logged in user: CHVTSTOPS50\waffle

 

Coordinator
Dec 28, 2010 at 12:32 PM
Edited Dec 28, 2010 at 12:34 PM

I've created a page for troubleshooting Negotiate authentication: http://waffle.codeplex.com/wikipage?title=Troubleshooting%20Negotiate&referringTitle=Home, start there. Let us know what you find.

Two things that come to mind:

  1. What account does the server run under? Try LocalSystem and/or a domain account.
  2. Is your client machine on the domain and are you logged in as a domain user? It has to be for SSO to work.
Dec 28, 2010 at 2:14 PM

Thanks!  I will work through the troubleshooting doc and report back.

Regarding the points:

1.  Tomcat is running interactively (not running as a service for now while I test) on a windows 2008 server logged in with my  domain account.  Both my account and the server are in the same domain.

2.  Client is IE8 on a Windows 7 workstation in the same domain as the server and using my domain account.   In short, all workstations, servers and accounts are in the same domain.

One observation I made was that the token from the failed attempts is MUCH bigger than the token from the succesful attempts.  I truncated the lines in my message to you, but the failed token is like 200 lines long, the succesful one is 5 lines.  Could there be some other "protocol" involved?  Like NTLMv2 or something?  Pardon me, I really don't know much about what is underneath the hood of all this NTLM stuff.

 

Coordinator
Dec 28, 2010 at 2:54 PM

The longer ticket says that the protocol chosen is Kerberos (usually those tickets are longer), while the shorter ones are NTLM. See if http://localhost vs. http://machinename changes anything. Try from a remote machine. Kerberos wants an actual host name usually (and possibly even a valid SPN - google that).

Dec 30, 2010 at 12:10 PM

OMG!  You're onto something.  When I launch the browser on the same server that Tomcat runs on, and use the url http://localhost:8080/waffle-filter, I get an SSO logon with my domain account!

However, if I use the server name instead of localhost (http://servername:8080/waffle-filter) I cannot logon with my domain account (no logon either sso or by typing in password).  Again I am limited to only logging on using accounts defined in the local SAM of the tomcat server.

I still haven't finished getting through the troubleshooting doc.  But in the meantime, if this tells you anything useful, please share...

Dec 30, 2010 at 2:33 PM

And it gets even stranger (to me, at least), if I remotely open the URL using IP address (http://192.168.57.245:8080/waffle-filter) I get an SSO logon with my domain account ALSO!  But using the server name in the URL does not allow logon for my domain account, either SSO or manually typed in user/password.

Coordinator
Dec 31, 2010 at 5:07 AM

All I can add to what I said above is that by the time you get a popup, waffle has #failed. SSO means you are never prompted for credentials. When you post logs, make sure to press Escape and not enter anything in those boxes.

Dec 31, 2010 at 8:41 AM

Thanks for your patience!

I've come to the conclusion that the problem here is really my lack of understanding of Kerberos.  My browsers are definitely trying to use Kerberos to authenticate when SSO fails, and NTLM when it succeeds.  So I have to research the Kerberos / hostname issue and this "SPN" thing you mentioned in an earlier post.  I will take some days to educate myself first, and then try again.

I have one last question for the moment:  Do you have a recommendation for a book or site that treats only the aspects of Kerberos that a web developer needs to know?  I did some looking around and it is a MASSIVE topic, and I definitely don't have the time (and hopefully the need) to learn everything about Kerberos.  Sort of a "Kerberos for Web Developers in a Nutshell"?

Coordinator
Dec 31, 2010 at 12:16 PM

You can always disable Kerberos and stick to NTLM if you can't figure it out (see docs of how to configure providers, depending on which filter/authenticator you use). NTLMv2 is as strong as Kerberos and users don't care.

The way I learned this stuff is by working with the Windows NT security team in Redmond on a project that involved hacking SSPI, so I kind-of saw it backwards from the rest of the world. But then I've always relied on MSDN to understand how these things work, the documentation is now a lot more complete. I suggest starting there.

Finally, it would be very helpful if you contributed how-to-s in public blog posts or Waffle documentation.

Jan 12, 2011 at 6:49 PM
chtjfi wrote:

And it gets even stranger (to me, at least), if I remotely open the URL using IP address (http://192.168.57.245:8080/waffle-filter) I get an SSO logon with my domain account ALSO!  But using the server name in the URL does not allow logon for my domain account, either SSO or manually typed in user/password.

Did you ever find a resolution to this? I am having the exact same problem. If I access the server by name it does not authenticated, but if I use the IP address it authenticates with no problem.

 

Coordinator
Jan 12, 2011 at 8:37 PM

@mberning: it's most likely a Kerberos SPN problem - you need an SPN properly configured for this endpoint (server). Or disable Kerberos and do NTLM.

Mar 21, 2013 at 6:51 PM
@dblock: Could you please explain more details about what do you mean by Kerberos SPN problem.

How to configure SPN for this end point(server)?

How to disable Kerberos and do NTLM? is there way we can configure the filter for this?

I have a problem of access the server by name it does not authenticated, but if I use the IP address it authenticates with no problem.

Please help me on this.
Coordinator
Mar 22, 2013 at 5:51 PM
This project has moved to Github. Please email the new list.