I am working on setting up Tomcat 8.0.35 on Ubuntu 16.04 with Oracle Java 1.8.0_91-b14 (not openjdk) to use Kerberos authentication when authenticating to our Microsoft SQL database. The issue I am running into is that after running kinit as the appropriate user with the appropriate switches:
sudo -u tomcat8 kinit -k -t /etc/tomcat8/tomcat8.keytab HTTP/[email protected]
I am getting this error in the localhost log from Tomcat:
Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
Caused by: KrbException: Fail to create credential. (63) - No service creds
When I run
sudo -u tomcat8 klist
I get the expected response:
root@linux-test2:/home/tbourne# sudo -u tomcat8 klist
Ticket cache: FILE:/tmp/krb5cc_111
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
06/23/2016 14:33:10 06/24/2016 00:33:10 krbtgt/[email protected]
renew until 06/24/2016 14:33:07
When I capture packets during the Tomcat startup, I see a service/instance name being passed of krbtgt/OUR.DOMAIN.LOCAL. I was expecting this to be the Default Principal mentioned above. When I set the serverSpn option in the database connection string, I get the above results.
When I remove the serverSpn option, it uses a different Principal name MSSQLSvc/[email protected]. Unfortunately I can't use that name since I will need unique logins (and thereby unique SPNs) for each of our Tomcat instances.
Our database connection string looks like this:
property.db.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
property.db.jdbcUrl=jdbc:sqlserver://sql-server.our.domain.local:1434;databaseName=DBAUTH2;integratedSecurity=true;authenticationScheme=JavaKerberos;serverSpn="HTTP/[email protected]"
I have downloaded the Microsoft JDBC driver version 4.2 and Tomcat is using it.
I am at a loss as to why Tomcat isn't sending the proper principal name when authenticating to the database. Any insight would be greatly appreciated.
I can post the krb5.ini for Tomcat, the krb5.conf, the jaas.conf and any other configs if they would be helpful.
