0

I am trying to set up a tomcat server to use Kerberos authentication. This server is the base for the Spotfire Application server. I set up my krb5.config file like this:

[libdefaults]
    default_realm = MYCOMPANY.COM
    default_keytab_name = mykeytab.keytab
    default_tkt_enctypes = aes128-cts rc4-hmac
    default_tgs_enctypes = aes128-cts rc4-hmac
    forwardable = true

[realms]
    MYCOMPANY.COM = {
        kdc = myserver03.mycompany.com
        kdc = myserver04.mycompany.com
        admin_server = myserver03.mycompany.com
        default_domain = mycompany.com
    }

[domain_realm]    
    .mycompany.com = MYCOMPANY.COM
    mycompany.com = MYCOMPANY.COM

[appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true

this application server needs to delegate the user's credentials to another server called "anotherserver.mycompany.com" This works well for me and some users; but for some other group of users it does not work and it fires an error about delegation specific to that server: RequireDelegationStrategy.login. I changed the domain_realm entry in the krb5 file and I can reproduced the issue with my own credentials just by changing this:

[domain_realm]    
        .mycompany.com = .MYCOMPANY.COM
        mycompany.com = MYCOMPANY.COM

Notice that I added a "." to the "MYCOMPANY.COM" entry. I can get rid of the "." and it goes back to work normally. So, that made me think that the issue has to be related to that specific entry and that I may have to add an entry for that specific server. I added it as shown below and then it did not work for any user. We all got the same delegation error:

[domain_realm]    
        .mycompany.com = MYCOMPANY.COM
        mycompany.com = MYCOMPANY.COM
        anotherserver.mycompany.com = ANOTHERSERVER.MYCOMPANY.COM

My question is, am I missing a the syntax adding this entry in the file? If so, what would be the correct syntax to add these servers in the domain relam?

Luis Garcia
  • 1,311
  • 6
  • 19
  • 37

1 Answers1

0

Please remove the anotherserver.mycompany.com = ANOTHERSERVER.MYCOMPANY.COM line under the [domain_realm] section of krb5.conf, it doesn't belong there. That section is for Kerberos realm names only, not for server names.

Based on the problem statement I think your Kerberos delegation is setup correctly. If it wasn't, Kerberos authentication wouldn't work at all for any user.

The fact that it is working for some users but not all tells me the problem is somewhere else. After authentication comes authorization, and in your case your doing that by groups. I'm not that familiar with Tomcat, but I believe in either the Tomcat server.xml or web.xml you will find one or more roles defined which probably map to some directory service group name. I think your users which can access the Tomcat web application are probably in the role to group mapping defined in server.xml or web.xml, users which aren't in that group, fail authorization.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • Your first paragraph is not correct. The `domain_realm` is intented to map hostnames to realms. So if you use hostnames out of scheme, this is the place for this. Windows has KFSO for this. – Michael-O Jan 30 '18 at 16:11