Kerberos Delegation thru Windows' ISAPI? - Kerberos

This is a discussion on Kerberos Delegation thru Windows' ISAPI? - Kerberos ; I have a Kerberos delegation issue caused by the separation of IIS worker processes and the Tomcat web server process on Windows. Specifically, I have a customer running Tomcat through ISAPI on Windows with ISS using Integrated Windows Authentication (Kerberos). ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kerberos Delegation thru Windows' ISAPI?

  1. Kerberos Delegation thru Windows' ISAPI?

    I have a Kerberos delegation issue caused by the separation of IIS worker
    processes and the Tomcat web server process on Windows.

    Specifically, I have a customer running Tomcat through ISAPI
    on Windows with ISS using Integrated Windows Authentication
    (Kerberos). Authentication is working. The getRemoteUser method returns
    the user's expected identity. Delegation is working. An ASP can use
    the clients credentials to request another protected page on a second
    IIS server. Note, impersonation is not used in any way shape or form
    (nor would it work).

    I put together a Kerberos capable HTTP client and tried to invoke it
    through the IIS authenticated Servlet. This does not work. The JGSS
    routines cannot find the delegated ticket (TGT).

    Can anyone guess as to why this is?

    My thinking is that even though the Tomcat process and IIS workers are
    running under the same service account Tomcat servlets do not have
    access to the IIS worker's credential cache because the credential
    cache is per-logon session and IIS creates a new logon session with each
    authentication. Does this sound right? I can't find any documentation
    about this scenario.

    My next thought was to export the security context but someone just
    posted a message that indicated Sun's Java doesn't support exporting
    the credential. If that's true I guess I'm toast?

    It would be a nice feature if Tomcat's ISAPI dll used
    LsaGetLogonSessionData and similar in the IIS worker to get any TGT
    present and ship it over to the Tomcat worker so Java can get to it. A
    lot of shops are MS SSO only and don't want a separate container for Java.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos Delegation thru Windows' ISAPI?

    Hi Michael,

    If I understood you correctly your goal is to trigger from MS IIS something
    written in java using kerberos authentication. I would suggest you to put
    together a servlet in tomcat and make IIS to authenticate itself against this
    servlet using SPNEGO.

    Most probably you will have to develop SPNEGO authenticator in Tomcat
    yourself. I was looking for this thing a while ago in inet, and could not
    find anything meaningfull, and therefore I have developed something similar
    myself.

    What you will have to do in such case, is to extract GSSAPIv2 tokens from
    SPNEGO tokens which you will receive from IIS, or otherwise build SPNEGO
    tokens from GSSAPIv2 tokens provided by sun GSSAPIv2 implementation. That's
    you will need an API to parse DER encoded ASN.1 structures, or otherwise
    encode ASN.1 structures.

    Even for this you will have troubles to find meaningfull API unless you can
    use IAIK. If you have to stay "opensource" you may probably want to try
    www.bouncycastle.org, they claim to have library to work with ASN.1
    structures.

    Best regards, vadim tarassov

    On Friday 08 September 2006 00:20, Michael B Allen wrote:
    > I have a Kerberos delegation issue caused by the separation of IIS worker
    > processes and the Tomcat web server process on Windows.
    >
    > Specifically, I have a customer running Tomcat through ISAPI
    > on Windows with ISS using Integrated Windows Authentication
    > (Kerberos). Authentication is working. The getRemoteUser method returns
    > the user's expected identity. Delegation is working. An ASP can use
    > the clients credentials to request another protected page on a second
    > IIS server. Note, impersonation is not used in any way shape or form
    > (nor would it work).
    >
    > I put together a Kerberos capable HTTP client and tried to invoke it
    > through the IIS authenticated Servlet. This does not work. The JGSS
    > routines cannot find the delegated ticket (TGT).
    >
    > Can anyone guess as to why this is?
    >
    > My thinking is that even though the Tomcat process and IIS workers are
    > running under the same service account Tomcat servlets do not have
    > access to the IIS worker's credential cache because the credential
    > cache is per-logon session and IIS creates a new logon session with each
    > authentication. Does this sound right? I can't find any documentation
    > about this scenario.
    >
    > My next thought was to export the security context but someone just
    > posted a message that indicated Sun's Java doesn't support exporting
    > the credential. If that's true I guess I'm toast?
    >
    > It would be a nice feature if Tomcat's ISAPI dll used
    > LsaGetLogonSessionData and similar in the IIS worker to get any TGT
    > present and ship it over to the Tomcat worker so Java can get to it. A
    > lot of shops are MS SSO only and don't want a separate container for Java.
    >
    > Mike

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Kerberos Delegation thru Windows' ISAPI?

    On Fri, 8 Sep 2006 11:33:31 +0200
    vadim wrote:

    > Hi Michael,
    >
    > If I understood you correctly your goal is to trigger from MS IIS something
    > written in java using kerberos authentication. I would suggest you to put
    > together a servlet in tomcat and make IIS to authenticate itself against this
    > servlet using SPNEGO.


    Yeah, we know we can do SPNEGO entriely on the Tomcat side (Vintela
    does it) but some shops prefer to use IIS's IWA feature through and
    through. You can still run through IIS but if you do you have to turn
    off IWA or IIS will intercept the GSSAPI tokens.

    So I'm trying to determine if I can get around the logon session
    partitioning problem. The ideal solution would be to enable Tomcat's ISAPI
    redirector to copy the TGT from the IIS worker process logon session to
    the Tomcat worker's logon session credential cache. But I suppose that's
    a lost cause ...

    > Most probably you will have to develop SPNEGO authenticator in Tomcat
    > yourself. I was looking for this thing a while ago in inet, and could not
    > find anything meaningfull, and therefore I have developed something similar
    > myself.


    There's also jcifs-ext on sourceforge (the regular jcifs Filter only
    does NTLM). It's fallen by the wayside a little but the JBOSS folks
    have tossed it around. Personally I don't think the code is used enough
    to give to a customer.

    > What you will have to do in such case, is to extract GSSAPIv2 tokens from
    > SPNEGO tokens which you will receive from IIS, or otherwise build SPNEGO
    > tokens from GSSAPIv2 tokens provided by sun GSSAPIv2 implementation. That's
    > you will need an API to parse DER encoded ASN.1 structures, or otherwise
    > encode ASN.1 structures.
    >
    > Even for this you will have troubles to find meaningfull API unless you can
    > use IAIK. If you have to stay "opensource" you may probably want to try
    > www.bouncycastle.org, they claim to have library to work with ASN.1
    > structures.
    >
    > Best regards, vadim tarassov
    >
    > On Friday 08 September 2006 00:20, Michael B Allen wrote:
    > > I have a Kerberos delegation issue caused by the separation of IIS worker
    > > processes and the Tomcat web server process on Windows.
    > >
    > > Specifically, I have a customer running Tomcat through ISAPI
    > > on Windows with ISS using Integrated Windows Authentication
    > > (Kerberos). Authentication is working. The getRemoteUser method returns
    > > the user's expected identity. Delegation is working. An ASP can use
    > > the clients credentials to request another protected page on a second
    > > IIS server. Note, impersonation is not used in any way shape or form
    > > (nor would it work).
    > >
    > > I put together a Kerberos capable HTTP client and tried to invoke it
    > > through the IIS authenticated Servlet. This does not work. The JGSS
    > > routines cannot find the delegated ticket (TGT).
    > >
    > > Can anyone guess as to why this is?
    > >
    > > My thinking is that even though the Tomcat process and IIS workers are
    > > running under the same service account Tomcat servlets do not have
    > > access to the IIS worker's credential cache because the credential
    > > cache is per-logon session and IIS creates a new logon session with each
    > > authentication. Does this sound right? I can't find any documentation
    > > about this scenario.
    > >
    > > My next thought was to export the security context but someone just
    > > posted a message that indicated Sun's Java doesn't support exporting
    > > the credential. If that's true I guess I'm toast?
    > >
    > > It would be a nice feature if Tomcat's ISAPI dll used
    > > LsaGetLogonSessionData and similar in the IIS worker to get any TGT
    > > present and ship it over to the Tomcat worker so Java can get to it. A
    > > lot of shops are MS SSO only and don't want a separate container for Java.
    > >
    > > Mike

    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread