using keytab file with spring security kerberos extension

試著忘記壹切 提交于 2019-12-08 12:04:13

问题


My goal: implement SSO on a java-based web application. My problem: I'm not a security guy...

After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).

I used the samples in the following project: https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample

I realized that I need to create a keytab. When I tried to use the keytab I got the following error:

javax.security.auth.login.LoginException: Unable to obtain password from user

Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.

So I decided to check my keytab and see if it's ok. First, this is last command (after a long evolution) I used to create my keytab:

ktpass /out http-web.keytab /mapuser MyUser@MYDOMAIN.COM /princ HTTP/MyUser@MYDOMAIN.COM /pass MyPass /ptype KRB5_NT_PRINCIPAL

Of course I created an SPN for MyUser with the following command:

setspn -a HTTP/MyUser@MYDOMAIN.COM MYDOMAIN.COM\MyUser

I tested the spn with the the following:

setspn -Q HTTP/MyUser@MYDOMAIN.COM

And got a successful result:

Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
    HTTP/MyUser
    HTTP/MyUser@MYDOMAIN.COM

Existing SPN found!

Now I wanted to test if I can obtain a ticket for MyUser by running the following command:

kinit MyUser@MYDOMAIN.COM

I got a successful result ("new ticket is stored in cache file....")

Now I wanted to test it with my keytab:

kinit MyUser@MYDOMAIN.COM -k -t http-web.keytab

Got the following exception:

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:

I used klist tool to see if my keytab contains any keys:

klist -e -K -k -t  http-web.keytab

Got the following result:

KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00

As a last desperate attempt, I checked the following account options for MyUser:

  • Use Kerberos DES encryption types for this account
  • The account suppoerts Kerberos AES 128 bit encryption
  • The account suppoerts Kerberos AES 256 bit encryption

I'm not sure if setting these options caused it, but now when I run

kinit MyUser@MYDOMAIN.COM

I get the following error:

Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)

So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error). If anyone can guide me through here it would be much appreciated.

Thanks, Lior


回答1:


Turned out to be a stupid mistake. I injected in spring the user account instead of the principal name as the servicePrincipal.



来源:https://stackoverflow.com/questions/23731297/using-keytab-file-with-spring-security-kerberos-extension

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!