Help configuring WAFFLE for aliases

383 views
Skip to first unread message

nicktes...@gmail.com

unread,
Oct 30, 2015, 4:08:44 AM10/30/15
to waffle
Hello everyone,

We have a Tomcat set upp with WAFFLE(1.7) for two different webapplications, one for a servlet and the other is just some webforms. All we pretty much need is getting the user name of the logged in user. The two applications are accessed through two different aliases configured in server.xml of the Tomcat. I have supplied the waffle-configurations for the different webapps at the bottom. We have a domain account running the tomcat service and the an SPN HTTP/Servername.fqdn and HTTP/Servername linked to the account. This all worked fine and which ever alias you used to access the server you would still get logged in. But then we ran in to an issue where the windows maintenance team couldn't log in remote with PowerShell. After some research we saw that PowerShell needed the HTTP/Servername to not be mapped to a domain account. So we removed the SPN and added the alias instead so HTTP/ALIAS.fqdn. This is not however working at the moment, so I wanted to know if there is something glaringly obvious I'm missing or what we need to do to make it worki. Or maybe it isn't even possible? Oh and the error we get:

com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid
at waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:134)
at waffle.servlet.spi.NegotiateSecurityFilterProvider.doFilter(NegotiateSecurityFilterProvider.java:103)
at waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:130)
at waffle.servlet.NegotiateSecurityFilter.doFilter(NegotiateSecurityFilter.java:98)


The webforms have the following configuration in their web.xml:

<filter>
  <filter-name>SecurityFilter</filter-name>
  <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SecurityFilter</filter-name>
  <url-pattern>/<our pages>/</url-pattern>
<url-pattern>/<our pages>/</url-pattern>
</filter-mapping>

and the servlet has:

  <filter>
    <filter-name>SecurityFilter</filter-name>
    <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>   
    <init-param>
    <param-name>principalFormat</param-name>
    <param-value>fqn</param-value>
    </init-param>
    <init-param>
    <param-name>roleFormat</param-name>
    <param-value>both</param-value>
    </init-param>
    <init-param>
    <param-name>allowGuestLogin</param-name>
    <param-value>false</param-value>
    </init-param>
    <init-param>
    <param-name>securityFilterProviders</param-name>
    <param-value>
    waffle.servlet.spi.NegotiateSecurityFilterProvider
    waffle.servlet.spi.BasicSecurityFilterProvider
    </param-value>
    </init-param>
    <init-param>
    <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
    <param-value>
    Negotiate
    NTLM
    </param-value>
    </init-param>
    <init-param>    
    <param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
    <param-value><our domain></param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <url-pattern>/<our servlet name></url-pattern>
  </filter-mapping>  



nicktes...@gmail.com

unread,
Oct 30, 2015, 4:28:46 AM10/30/15
to waffle
So I just tried changing so that the Tomcat service run as local system. This does seem like it fixed the issue, but I don't know if we want the service running under local system? Any thoughts?


Daniel Doubrovkine

unread,
Oct 30, 2015, 3:04:26 PM10/30/15
to waffle...@googlegroups.com
You do. Otherwise it doesn't work. I yet have to find a person who can explain what the missing privileges are though when the service is run under a domain account.

On Fri, Oct 30, 2015 at 1:28 AM, <nicktes...@gmail.com> wrote:
So I just tried changing so that the Tomcat service run as local system. This does seem like it fixed the issue, but I don't know if we want the service running under local system? Any thoughts?


--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

nicktes...@gmail.com

unread,
Nov 2, 2015, 2:00:04 AM11/2/15
to waffle
Well in our case, seeing as it worked before, I think it has to do with the servername-SPN not being associated with the domain account that used to run the service any longer. So if it can't find the SPN it fails, If we change to Local system running the service Waffle probably authenticates the user the same way powershell does via the built in account and it works. What I would like is however to be able to register an SPN with the alias and not the server name and that this is resolved to the server name any way somehow. 

Daniel Doubrovkine

unread,
Nov 2, 2015, 6:54:34 AM11/2/15
to waffle...@googlegroups.com
If you figure it out I would like an explanation!

On Mon, Nov 2, 2015 at 2:00 AM, <nicktes...@gmail.com> wrote:
Well in our case, seeing as it worked before, I think it has to do with the servername-SPN not being associated with the domain account that used to run the service any longer. So if it can't find the SPN it fails, If we change to Local system running the service Waffle probably authenticates the user the same way powershell does via the built in account and it works. What I would like is however to be able to register an SPN with the alias and not the server name and that this is resolved to the server name any way somehow. 

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

nicktes...@gmail.com

unread,
Nov 4, 2015, 5:24:46 AM11/4/15
to waffle
I don't think our issue is really the same as for others. The explanation for our problem seems to be that our aliases are CNAME aliases and in our network setup they always get resolved to the hostname of the server. So the SPN always got resolved to HTTP/HOSTNAME.fqdn even if we accessed the page via an alias. So when the domain account running the service didn't have this SPN assigned it failed. If we changed to local system running the service and it can't find the HTTP/HOSTNAME.fqdn SPN it falls back to HOST/HOSTNAME.fqdn and this SPN exists as it is created default for each server set up. This SPN is associated with the netbios name of the server, setspn -l servername to list them. I suppose local system is associated with these SPNs. 

Parminder Grewal

unread,
Aug 22, 2017, 5:51:26 PM8/22/17
to waffle
I maybe late to the party here but I think this could be related to delegation authority for the managed service account 
Reply all
Reply to author
Forward
0 new messages