Reputation: 3184
Why is SSO not working with Kerberos using Spring Security?
I'm running two sample web apps that are secured by Spring Security Kerberos. After logging into one, I expected the other app to not require login. Here are the details of my setup:
On Ubuntu Linux, I have installed Kerberos and configured per this documentation. I replaced EXAMPLE.ORG with my domain, MYDOMAIN.LOCAL. Here's my krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
kdc_tcp_port = 12345
kdc_udp_port = 12345
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.LOCAL = {
kdc = localhost
admin_server = localhost
}
I also added two service principals: HTTP/[email protected] and HTTP/[email protected].
Then I built this Spring Security Kerberos sample code following this documentation.
I ran two instances of this sample app with different config parameters:
App 1
server:
port: 9122
app:
service-principal: HTTP/[email protected]
keytab-location: /tmp/tomcat.keytab
App 2
server:
port: 9123
app:
service-principal: HTTP/[email protected]
keytab-location: /tmp/tomcat2.keytab
Both app instances are running on the same Linux machine hosting my Kerberos (KDC) instance.
On my local Windows machine, I configured Firefox per this. I set network.negotiate-auth.trusted-uris=http://subdomain1.mydomain.local,http://subdomain2.mydomain.local.
I pointed my host file (Windows machine) to such that subdomain2.mydomain.local points to the same IP address as subdomain1.mydomain.local (since my DNS doesn't know about subdomain2).
Using Firefox, I navigated to http://subdomain1.mydomain.local/hello which is secured. As expected I got the login page. I logged in as user1 and got the hello page (which displays `Hello [email protected]).
On another Firefox tab, I navigated to http://subdomain2.mydomain.local/hello. I was prompted to login again. Why?
Upvotes: 1
Views: 749
Answers (2)
Reputation: 11
Did you log in on your windows machine using the same linux kdc? As i understand your post, the kdc is no AD Domain Controller. So Windows will not generate a negotiaton token that may be matched on your kdc if you login standalone (Windows Home Edition). Kerberos is a triangle trust, so the kdc has to trust the client (windows) and the tomcat server, that forwards the request. Only then the spring security ticket validator may accept the token sent from your firefox.
Upvotes: 1
Reputation: 7439
Please consider the following two options
-
- If you are trying to go across domains and expect the same login token to work, then please consider your approach/solution and as setup single sign on, look here.
-
- Now if you are having issues with windows forcing you to re-login, it could be a
trust&configurationissue.
- Now if you are having issues with windows forcing you to re-login, it could be a
Upvotes: 0
Related Questions
- Kerberos spring javax.security.auth.login.LoginException: Unable to obtain password from user
- Kerberos client - kerberoRestTemplate not working
- Configuring Tomcat SSO using Kerberos SPNEGO
- SSO with Spring Security 3.x.x
- Spring boot 2 kerberos Authentication
- Spring Security Kerberos SSO for a REST API (Tomcat)
- Java Spring SSO authorization using Kerberos and LDAP
- Kerberos authentication not working with spring security
- Kerberos authentication not running when client and server on same machine
- BadCredentialsException: Kerberos validation not succesfull