spnego

“The token supplied to the function is invalid” error when validating SPNEGO Response Token with SSPI

寵の児 提交于 2020-03-05 01:27:33
问题 We are reconfiguring a SPNEGO / Kerberos SSO application to use AES128 / AES256 instead of the the weak encryption ciphers DES and RC4. Some days ago I posted a preparatory question: Now we have a concrete error. The token supplied to the function is invalid. The components: The Kerberos “back-end” is Windows Active Directory The Application Server uses pure Java GSSAPI and runs on Windows Server. The client runs on Windows 10, and is written in Java. It has 2 SPNEGO / SSO implementations:

“The token supplied to the function is invalid” error when validating SPNEGO Response Token with SSPI

╄→гoц情女王★ 提交于 2020-03-05 01:26:09
问题 We are reconfiguring a SPNEGO / Kerberos SSO application to use AES128 / AES256 instead of the the weak encryption ciphers DES and RC4. Some days ago I posted a preparatory question: Now we have a concrete error. The token supplied to the function is invalid. The components: The Kerberos “back-end” is Windows Active Directory The Application Server uses pure Java GSSAPI and runs on Windows Server. The client runs on Windows 10, and is written in Java. It has 2 SPNEGO / SSO implementations:

Keycloak + Kerberos authentication: Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

允我心安 提交于 2020-02-29 06:42:12
问题 I have the following spring web application on JBoss EAP 7.2.2 - Machine CentOs Keycloak 3.3.4 on CentOs Active directory We run on OpenJDK 8 Users login from Windows machines using their Active directory accounts. Keycloak is configured with a kerberos use federation. On CentOs machines a kerberos client is installed using yum install krb5-user krb5-doc yum install krb5-pkinit krb5-workstation yum install krb5-libs krb5-devel yum install krb5-server krb5-workstation pam_krb5 In keycloak user

curl with --negotiate / Kerberos doesn't seem to work

为君一笑 提交于 2020-01-25 07:58:06
问题 I'm trying to use curl with Kerberos (against TM1). The answers in When using --negotiate with curl, is a keytab file required? seem very helpful, however, it still doesn't work for me. No success with curl 7.29.0 and GSS-Negotiate I followed the instructions from Avinash Reddy $curl --version curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp

spring-security-kerberos can't read keytab?

五迷三道 提交于 2020-01-14 20:42:11
问题 I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it: ktutil: rkt http-web.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM This keytab was generated on a the win 2k8 domain controller with this command: ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG

spring-security-kerberos can't read keytab?

旧时模样 提交于 2020-01-14 20:41:12
问题 I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it: ktutil: rkt http-web.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM This keytab was generated on a the win 2k8 domain controller with this command: ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG

Kerberos - SPN and keytabs

岁酱吖の 提交于 2020-01-14 04:23:32
问题 I have a project that have embedded jetty with SPNEGO enabled. I would like to be able to run this project locally for development purposes (WITH SPNEGO enabled!) My question is, is the SPN and keytab associated with a particular server at all or can I use the same set on multiple instances of my service? 回答1: Kerberos requires that both the client and server somehow figure the service principal to use without any prior contact. If you have control of both the client and server, you can use

Tomcat authentication using SPNEGO/Kerberos and delegation

大憨熊 提交于 2019-12-31 14:42:33
问题 Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation? I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user. EDIT: To clarify, I need

java security exception : checksum failed

杀马特。学长 韩版系。学妹 提交于 2019-12-25 02:29:32
问题 I am using http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/ for SSO in java. I have KDC Windows server 2008, in that i have created spn by using setspn command for testsso user. And using testsso@MYDOMAIN.COM as principal in jaas.con. I have Tomcat server in Windows 7 machine(within AD). In this i have created one servlet as of jsp(from webmoli itself). I sending browser request for that servlet from 3rd machine Windows XP(within AD). But i get checksum failed error. Stacktrace

Kerberos delegation: GSSUtil.createSubject returns subject with principal name only

时间秒杀一切 提交于 2019-12-24 22:51:48
问题 I am doing kerberos delegation. I noticed that GSSUtil.createSubject(context.getSrcName(), clientCred) returns a Subject without having credentials in it. Prior to that i've done GSSCredential clientCred = context.getDelegCred(); which returns the credentials. Edit: When I hit my service from one machine in same domain, it works, while if accessed from other machine in same domain, it doesn't. Confused what additional settings are needed on AD ? Any help is highly appreciated. Following is my