How to pass windows authentication(browser) from react application to Spnego Kerberos Spring SSO?

Question

We have a react application which used get that data from spring boot webservice. Both is deployed in a same server(tomcat). But we only need Kerberos authentication for webserv

Answer 1

Yes, it's possible, requirements on the client side:

1. User logged into domain account on OS.
2. Proper config in your browser, see Spring documentation

E.g. for Internet Explorer:

E.3 Internet Explorer

Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication.

Open Internet Explorer.
Click Tools > Intenet Options > Security tab.
In Local intranet section make sure your server is trusted by i.e. adding it into a list.

Kerberos auth is triggered by HTTP header returned from backend service:

WWW-Authenticate: Negotiate

If your OS and browser are correctly configured this will trigger service ticket generation, which browser will send as Authorization HTTP header value.

EDIT: If your application is split into frontend and backend hosted separately on different hosts, then you have to register SPN (and generate keytab) for the fronted host which users will enter. Example:

• Backend: api.test.com
• Frontend: application.test.com

For SSO to work, you have to register SPN: application.test.com, backend host name is irrelevant here. Command:

setspn -A HTTP/application.test.com@test.com ad_user_to_registern_spn_for 

Answer 2

Using the fetch API, it worked for me by adding credentials: 'include'

fetch(${authBase}/auth, {credentials: 'include'})

I know it isn't what you are using but it may help other readers