Tomcat fails to authenticate using spnego, "Cannot locate default realm"

Question

I'm using http://spnego.sourceforge.net/spnego_tomcat.html tutorial to try to config Tomcat to use spnego.

Hello_KDC.java worked and I was able to authenticate. And if I use wrong password I get error Exception, so it's working.

But when I try to use that tutorial for Tomcat it breaks. Tomcat ROOT/index.jsp gets blank, and when monitoring I see it's returning 404. log\host-manager.2013-02-22.log has the following:

Fev 22, 2013 1:39:03 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter SpnegoHttpFilter
javax.servlet.ServletException: javax.security.auth.login.LoginException: Cannot locate default realm
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:107)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4656)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5309)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1114)
    at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1673)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at net.sourceforge.spnego.SpnegoAuthenticator.<init>(SpnegoAuthenticator.java:161)
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:196)
    ... 17 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 32 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 33 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 34 more

That happens during tomcat startup, before any page is loaded from browser. When I try to load page, no log is added.

In krb5.conf I tried both hostname and IP and get same error. krb5.conf and login.conf are being located, because if I delete them I get this log:

Fev 22, 2013 1:46:05 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter SpnegoHttpFilter
java.lang.SecurityException: login.conf (tal arquivo ou diretório não existe)
    at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at java.lang.Class.newInstance0(Unknown Source)
    at java.lang.Class.newInstance(Unknown Source)
    at javax.security.auth.login.Configuration$3.run(Unknown Source)
    at javax.security.auth.login.Configuration$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)
    at net.sourceforge.spnego.SpnegoFilterConfig.doClientModule(SpnegoFilterConfig.java:176)
    at net.sourceforge.spnego.SpnegoFilterConfig.<init>(SpnegoFilterConfig.java:138)
    at net.sourceforge.spnego.SpnegoFilterConfig.getInstance(SpnegoFilterConfig.java:314)
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:193)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:107)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4656)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5309)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1114)
    at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1673)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: login.conf (tal arquivo ou diretório não existe)
    at com.sun.security.auth.login.ConfigFile.init(Unknown Source)
    ... 32 more

Any idea what may be happening?

Answer 1

It could mean two things:-

1. Your krb5.conf is misconfigured
2. Your tomcat machine is on a realm which does not have a kdc

Here is a sample krb5.conf for reference. Note the fact that in this case, my tomcat hosting machine is on KERBOS.COM

[libdefaults]
default_realm = KERBOS.COM
ticket_lifetime = 36000

[realms]
KERBOS.COM = {
kdc = 10.1.2.3
admin_server = INQS28KERB01
default_domain = KERBOS.COM
}

[domain_realm]
.mycompany.com = KERBOS.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

For me this works. Please provide your krb5.conf for details. Moreover please also provide the tomcat filter edit you did, it is possible something is wrongly configured there.

Answer 2

One possible cause of the exception KrbException: Cannot locate default realm is that the login module can't locate your krb5.conf.

The instructions for configuring Tomcat for Windows Integrated Authentication state that the krb5.conf should be placed in the Tomcat home directory, e.g. C:\Tomcat\ if you're on Windows.

In general, however, (i.e. not specific to Sourceforge project you're referring to) the default locations that the the login module will look for the krb5.conf are defined here:

If the system property java.security.krb5.conf is set, its value is assumed to specify the path and file name.

If that system property value is not set, then the configuration file is looked for in the directory:

• \lib\security (Windows)
• /lib/security (Solaris and Linux)

If the file is still not found, then an attempt is made to locate it as follows:

• /etc/krb5/krb5.conf (Solaris)
• c:\winnt\krb5.ini (Windows)
• /etc/krb5.conf (Linux)

Setting some additional properties to activate debug logging can help in determining where your particular application is looking for the krb5.conf:

System.setProperty("sun.security.krb5.debug", "true");

Debug output could print some or all of the following depending on your case:

System property java.security.krb5.conf is not set so the module looks in default system-specific locations:

Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config

System property java.security.krb5.conf is set and file is found:

Java config name: krb5.conf
Loaded from Java config

System property java.security.krb5.conf is set but file was not found:

Java config name: krb5.conf

Notice in the last example that there is no confirmation that the config has been loaded. It's in this scenario that you'll see the exception message: KrbException: Cannot locate default realm)