Reputation: 71
Why can't I do a kinit with an SPN?
I was following this tutorial on setting up Apache Directory Studio for a webapp to develop and test out kerberos authentication (using spnego). I set up the ldap and ticket granting service as well as some basic user accounts. I am able to do a kinit with the user accounts, so I know that portion is working well.
So, the current logs from that are indicating that it cannot decrypt the ticket. I tried using the keytab file with kinit and it wasn't working, so then I just tried to do a kinit and manually type in the password - which also doesn't work (even after verifying the password is correct in Apache Directory Studio). Here is the ldif file I used for creating the spn:
dn: uid=HTTP/example.com,ou=users,dc=security,dc=example,dc=com
objectClass: top
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: person
objectClass: organizationalPerson
cn: HTTP/example.com
krb5KeyVersionNumber: 1
krb5PrincipalName: HTTP/[email protected]
sn: Something
uid: HTTP/example.com
userPassword: secret
whenever I do a kinit -V HTTP/example.com and type in the password, I just get:
HTTP/[email protected]'s Password:
kinit: Password incorrect
This is my krb5.conf:
[libdefaults]
debug = true
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = example.com:60088
admin_server = example.com:60088
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Upvotes: 3
Views: 2498
Answers (1)
Reputation: 71
So, apparently you cannot setup an SPN that is the same as the default realm. I had to create a subdomain (myapp.example.com) and import the associated new ldif file:
dn: uid=HTTP/myapp.example.com,ou=users,dc=security,dc=example,dc=com
objectClass: top
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: person
objectClass: organizationalPerson
cn: HTTP/myapp.example.com
krb5KeyVersionNumber: 1
krb5PrincipalName: HTTP/[email protected]
sn: myapp
uid: HTTP/myapp.example.com
userPassword: secret
After that, I was able to kinit with HTTP/myapp.example.com. I was then able to setup a keytab and load that into my webserver and got SSO working!
Upvotes: 3
Related Questions
- Kinit autentication does not create klist ticket
- kinit: krb5_init_creds_set_keytab: Failed to find keytab (unknown enctype)
- Kerberos and multiple SPNs
- What is the correct format to specify SPN?
- Java Kerberos authentication seems to work, still gets rejected
- Creating a keytab to use with kinit in Windows
- What goes on when using kinit with a keytab file
- Kerberos - SPN and keytabs
- Spnego keytab test gives a java security exception
- Java/SPNEGO: Unwanted SPN canonicalization?