Reputation: 27
Issue while configuring Kerberos on Websphere Application Server
Team, I have a question on Single Sign On using Kerberos Authentication.
We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf . We are facing the an error saying that "Cannot get credential for principal service HTTP/[email protected]". Can someone help me in resolving the issue..?
Please post a comment if any additional information is required..
When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.
When I ran the command klist as per your input, I got the output as below
"Key table: /etc/krb5/pocsso.keytab
Number of entries: 1
[1.] principal: HTTP/[email protected] KVNO: 12 "
UPDATE .
Ticket cache: FILE:/tmp/krb5cc_38698 Default principal: [email protected] Valid starting Expires Service principal 01/09/2014 16:15 02/09/2014 02:21 krbtgt/[email protected] renew until 08/09/2014 16:15
Upvotes: 1
Views: 6983
Answers (2)
Reputation: 103
A bit of a late answer.
Regenerate the keytab file by running the ktpass command as:
ktpass -out file.keytab -princ HTTP/server1.SW.MAIL.COM@POC.MAIL.COM -mapuser your-user -pass your-pwd -ptype KRB5_NT_PRINCIPAL
Solving the error:
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Cannot get credential for principal HTTP/[email protected]
boils downs to the following rules when generating the keytab file:
- The principal service must follow the format
<service name>/<fully qualified hostname>@KerberosRealm
- Double check the spelling of the principal service
- The service name must be all upper case, that is HTTP and not http
- The Kerberos realm must also be all upper case, and
- The host name must be found in the /etc/host file or the DNS server.
Sources:
- http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_kerb_auth_mech.html
- http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf (page 477)
Upvotes: 1
Reputation: 18050
Specify it only on the Global security > SPNEGO web authentication, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).
UPDATE
In the filter definition you should have:
Host name: server1.sw.mail.com
Kerberos realm name: POC.MAIL.COM
Filter criteria: yourFilterCriteria
Trim Kerberos realm from principal name - checked
See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console
Minimal configuration in web.xml for Java EE security. And you have to have Application Security enabled in the server configuration, and mapped userRole to some users/groups from registry.
<security-constraint>
<display-name>constraint</display-name>
<web-resource-collection>
<web-resource-name>all resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>userRole</role-name>
</auth-constraint>
</security-constraint>
Upvotes: 1
Related Questions
- Kerberos - found unsupported keytype (1)
- WebSphere Kerberos multi-hop failing
- Login Error when authenticating with Kerberos
- SPNEGO authentication issue with password
- How to enable Kerberos authentication for remote EJB call on WebSphere?
- Websphere MQ setting up SSPI Kerberos
- Kerberos WAS 7 fallback to application authentication(LDAP)
- Weblogic + Kerberos + SSO
- How do I get basic authentication working on WebSphere?
- Basic Authentication on websphere 7