spnego

问题 We are reconfiguring a SPNEGO / Kerberos SSO application to use AES128 / AES256 instead of the the weak encryption ciphers DES and RC4. Some days ago I posted a preparatory question: Now we have a concrete error. The token supplied to the function is invalid. The components: The Kerberos “back-end” is Windows Active Directory The Application Server uses pure Java GSSAPI and runs on Windows Server. The client runs on Windows 10, and is written in Java. It has 2 SPNEGO / SSO implementations:

问题 We are reconfiguring a SPNEGO / Kerberos SSO application to use AES128 / AES256 instead of the the weak encryption ciphers DES and RC4. Some days ago I posted a preparatory question: Now we have a concrete error. The token supplied to the function is invalid. The components: The Kerberos “back-end” is Windows Active Directory The Application Server uses pure Java GSSAPI and runs on Windows Server. The client runs on Windows 10, and is written in Java. It has 2 SPNEGO / SSO implementations:

问题 I have the following spring web application on JBoss EAP 7.2.2 - Machine CentOs Keycloak 3.3.4 on CentOs Active directory We run on OpenJDK 8 Users login from Windows machines using their Active directory accounts. Keycloak is configured with a kerberos use federation. On CentOs machines a kerberos client is installed using yum install krb5-user krb5-doc yum install krb5-pkinit krb5-workstation yum install krb5-libs krb5-devel yum install krb5-server krb5-workstation pam_krb5 In keycloak user

问题 I'm trying to use curl with Kerberos (against TM1). The answers in When using --negotiate with curl, is a keytab file required? seem very helpful, however, it still doesn't work for me. No success with curl 7.29.0 and GSS-Negotiate I followed the instructions from Avinash Reddy $curl --version curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp

问题 I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it: ktutil: rkt http-web.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM This keytab was generated on a the win 2k8 domain controller with this command: ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG

问题 I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it: ktutil: rkt http-web.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM This keytab was generated on a the win 2k8 domain controller with this command: ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG

问题 I have a project that have embedded jetty with SPNEGO enabled. I would like to be able to run this project locally for development purposes (WITH SPNEGO enabled!) My question is, is the SPN and keytab associated with a particular server at all or can I use the same set on multiple instances of my service? 回答1: Kerberos requires that both the client and server somehow figure the service principal to use without any prior contact. If you have control of both the client and server, you can use

问题 Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation? I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user. EDIT: To clarify, I need

问题 I am using http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/ for SSO in java. I have KDC Windows server 2008, in that i have created spn by using setspn command for testsso user. And using testsso@MYDOMAIN.COM as principal in jaas.con. I have Tomcat server in Windows 7 machine(within AD). In this i have created one servlet as of jsp(from webmoli itself). I sending browser request for that servlet from 3rd machine Windows XP(within AD). But i get checksum failed error. Stacktrace

问题 I am doing kerberos delegation. I noticed that GSSUtil.createSubject(context.getSrcName(), clientCred) returns a Subject without having credentials in it. Prior to that i've done GSSCredential clientCred = context.getDelegCred(); which returns the credentials. Edit: When I hit my service from one machine in same domain, it works, while if accessed from other machine in same domain, it doesn't. Confused what additional settings are needed on AD ? Any help is highly appreciated. Following is my