Reputation: 21
SPNEGO in tomcat always prompting password
My SPNEGO configuration seems to not work and always prompts for a password in my tomcat8.
Installation/Configuration SPNEGO install guide
I added the library spnego-r9.jar to the "tomcat\lib"-folder. Added the .conf files as well. Here the krb5.conf:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 1
default_realm=EXAMPLE.COM
default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts-
hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts-
hmac-sha1-96 rc4-hmac
permitted_enctypes = aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts-
hmac-sha1-96 rc4-hmac
[realms]
EXAMPLE.COM = {
default_domain=example.com
kdc=dc2.example.com:88
}
[domain_realm]
.example.com=EXAMPLE.COM
example.com=EXAMPLE.COM
The SpnegoHttpFilter was then added to the web.xml. Last but not least I contacted our admins and added the following to the user registered in the SpnegoHttpFilter
setspn.exe -A HTTP/ourserver01.example.com/projectXY exampleUser
setspn.exe -A HTTP/ourserver01/projectXY exampleUser
The result is a password prompt even though my accessing user is logged in to the EXAMPLE.COM domain. To my knowledge this should not happen. I logged on to our server and found, that its domain is a workgoup (using wmic computersystem get domain in cmd) could that be an issue and how would I go and resolve this?
EDIT: Here the second .conf file:
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
isInitiator=false;
};
Upvotes: 0
Views: 570
Answers (1)
Reputation: 21
I checked the packages via wireshark and found the unkown pricipalname error. Thanks for the hint @Samson Scharfrichter
The correct spn registration is setspn.exe -A HTTP/ourserver01.example.com exampleUser without the project itself.
Upvotes: 1
Related Questions
- Configuring Tomcat SSO using Kerberos SPNEGO
- SPNEGO authentication issue with password
- Tomcat Kerberos Spnego authorization not working
- SPNEGO Kerberos Single Sign On does not work in AD domain for tomcat server
- SPNEGO/Kerberos No credential found error with requests from Linux client
- Tomcat Windows Authentication: JNDIRealm doesn't use SPNEGO delegated credentials
- Kerberos/Spnego authentication issue after password change
- Spnego keytab authentication in Tomcat on Windows Server fails
- BadCredentialsException: Kerberos validation not succesfull
- Tomcat authentication using SPNEGO/Kerberos and delegation