spring-security-kerberos can't read keytab?

Question

I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it:

ktutil:  rkt http-web.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM

This keytab was generated on a the win 2k8 domain controller with this command:

ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM /pass *

which was coppied over the the test web server used in spnego.xml:

<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
  <property name="servicePrincipal" value="HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM" />
  <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
  <property name="debug" value="true" />
</bean>

but fails to find the principal:

Key for the principal HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM not available in 
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
            [Krb5LoginModule] authentication failed 
Unable to obtain password from user

I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.

ps checked it out from git this morning.

Answer 1

Key for the principal HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM not available in

We just stumbled over this error when trying to work with a SASL+Kerberos client trying to authenticate against Kafka brokers. The problem was that their JVM did not support advanced encryption ciphers so the key could not be read from the keytab and was silently ignored.

The solution was to upgrade their Java version since modern >= Java8 versions support AES256 and other more advanced ciphers.

We used the following Java code to test for AES:

/* Test to see if the current JVM supports AES > 128 */
public class UnlimitedSupportJCE {
    public static void main(final String[] args) {
        int strength = 0;
        try {
            strength = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");
        } catch (java.security.NoSuchAlgorithmException e) {
            System.out.println("isUnlimitedSupported=FALSE");
        }
        if (strength > 128) {
            System.out.println("AES cipher strength is " + strength);
        } else {
            // probably not good enough for many kerberos keys
            System.out.println("Warning: AES cipher strength is only "+strength);
        }
    }
}

Answer 2

There're several mistakes that lead to "Unable to obtain password from user":

1. incorrectly specified localtion of keytab file (just like @jasop pointed out); it should be something like classpath:http-web.keytab or file:c:/http-web.keytabl
2. incorrectly specified principal name (i.e., principal name that doesn't match the actual one, for which keytab file was generated)
3. white spaces in a keytab file path (note sure if this has ever been fixed),- saw complaints in comments on SPRING SECURITY KERBEROS/SPNEGO EXTENSION SpringSource blog entry, and received evidence on my dev environment - Windows 7 / Java 6,- the absolute path must be considered at all times (even if keytab referenced by classpath with no spaces)

Answer 3

I had the exact same issue.

The problem is your "keyTabLocation" setting. You cannot set it to /WEB-INF/http-web.keytab

You need to set it to something on the file path or classpath.

For instance, I put my file on the classpath and made this setting:

    <property name="keyTabLocation" value="classpath:http-web.keytab" />