Security Filter not working in complex network

Mar 11, 2011 at 2:18 PM

Hi,

I've sucessfully configured Waffle Security Filter in my testing environment with two machines: a server with Active Directory and Tomcat running on and a client machine that access the service. SSO went fine and it was much easier to config then my previous attempt to get SSO using Spnego.

The problem started when I moved to a production environment with a more complex network. There, the server running Tomcat is not the one running the AD and my Tomcat runs under a specific user, which I used to add the Tomcat server into SPN, like this:

setspn -A HTTP/tomcat-server tomcat-user
setspn -A HTTP/tomcat-server.full-domain tomcat-user

My waffle configuration is pretty much the same as the filter demo config:

	<filter>
		<filter-name>SecurityFilter</filter-name>
		<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>   
		<init-param>
			<param-name>principalFormat</param-name>
			<param-value>fqn</param-value>
		</init-param>
		<init-param>
			<param-name>roleFormat</param-name>
			<param-value>both</param-value>
		</init-param>
		<init-param>
			<param-name>allowGuestLogin</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>securityFilterProviders</param-name>
			<param-value>
				waffle.servlet.spi.NegotiateSecurityFilterProvider
				waffle.servlet.spi.BasicSecurityFilterProvider    		
			</param-value>
		</init-param>
		<init-param>
			<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
			<param-value>
				Negotiate
				NTLM
			</param-value>
		</init-param>
		<init-param>    
			<param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
			<param-value>Tatem Gerencial Web</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>SecurityFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

but the SSO do not work. It keeps prompting me with a user / password popup. The log shows nothing but a INFO: authorization required message. I've already tried reodering filter protocols, filter providers and also increased Tomcat header max size as suggested in a dicussion in the forum and none of these helped me. 

I'm adding here a sample of an output from iehttpheaders:

GET /tatemgerencialweb/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: gavtstsis:8900
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="Tatem Gerencial Web"
Connection: keep-alive
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Fri, 11 Mar 2011 13:31:32 GMT

GET /tatemgerencialweb/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: gavtstsis:8900
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomi6cY9sUlHWcQAAAAAAAAAAJYAlgBCAAAABQLODgAAAA9HAEEAVgBFAEEAAgAKAEcAQQBWAEUAQQABABIARwBBAFYAVABTAFQAUwBJAFMABAAWAGcAYQB2AGUAYQAuAGwAbwBjAGEAbAADACoARwBBAFYAVABTAFQAUwBJAFMALgBnAGEAdgBlAGEALgBsAG8AYwBhAGwABQAWAGcAYQB2AGUAYQAuAGwAbwBjAGEAbAAHAAgA0Mrcu/DfywEAAAAA
Connection: keep-alive
Transfer-Encoding: chunked
Date: Fri, 11 Mar 2011 13:32:14 GMT

GET /tatemgerencialweb/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: gavtstsis:8900
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIAAAAAYABgAmAAAAAoACgBIAAAAHAAcAFIAAAASABIAbgAAAAAAAACwAAAABYKIogUCzg4AAAAPZwBhAHYAZQBhAGEAZABtAF8AbQB2AG8AbABpAHYAZQBpAHIAYQBHAEEAVgBUAFMAVABTAEkAUwDrRu683xQingAAAAAAAAAAAAAAAAAAAAAvC34JAuK/WvmyZe+LKoAIulBJmaB4FEA=

In the working enviroment I do not get the first two headers, it starts from the third (which I got after entering my user / password in login dialog).

Any help is appreciated. Thanks very much.

Carlos Lopes

Coordinator
Mar 11, 2011 at 2:33 PM

By the time you get a popup, SSO has failed. The browser pops up because it expected it to work.

It looks correct in the beginning and the client picks NTLM (short Authorization token). The server is happy with the first ticket, but refuses the second step of authentication. First, look at the server-side log to find out what the error was with this negotiate token - probably a generic "the token supplied is invalid" or something like that.

Then go through the troubleshooting negotiate section - http://waffle.codeplex.com/documentation. This is almost always an SPN/client problem, a rights problem of the account under which the service runs.

Mar 11, 2011 at 3:59 PM

I guess the problem should be on SPN since there are no errors in server-side log and I've followed all the instructions on the troubleshooting negotiate section. Do you have a good documentation on SPN? Thanks