问题
My goal: implement SSO on a java-based web application. My problem: I'm not a security guy...
After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).
I used the samples in the following project: https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample
I realized that I need to create a keytab. When I tried to use the keytab I got the following error:
javax.security.auth.login.LoginException: Unable to obtain password from user
Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.
So I decided to check my keytab and see if it's ok. First, this is last command (after a long evolution) I used to create my keytab:
ktpass /out http-web.keytab /mapuser MyUser@MYDOMAIN.COM /princ HTTP/MyUser@MYDOMAIN.COM /pass MyPass /ptype KRB5_NT_PRINCIPAL
Of course I created an SPN for MyUser with the following command:
setspn -a HTTP/MyUser@MYDOMAIN.COM MYDOMAIN.COM\MyUser
I tested the spn with the the following:
setspn -Q HTTP/MyUser@MYDOMAIN.COM
And got a successful result:
Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
HTTP/MyUser
HTTP/MyUser@MYDOMAIN.COM
Existing SPN found!
Now I wanted to test if I can obtain a ticket for MyUser by running the following command:
kinit MyUser@MYDOMAIN.COM
I got a successful result ("new ticket is stored in cache file....")
Now I wanted to test it with my keytab:
kinit MyUser@MYDOMAIN.COM -k -t http-web.keytab
Got the following exception:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
I used klist tool to see if my keytab contains any keys:
klist -e -K -k -t http-web.keytab
Got the following result:
KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00
As a last desperate attempt, I checked the following account options for MyUser:
- Use Kerberos DES encryption types for this account
- The account suppoerts Kerberos AES 128 bit encryption
- The account suppoerts Kerberos AES 256 bit encryption
I'm not sure if setting these options caused it, but now when I run
kinit MyUser@MYDOMAIN.COM
I get the following error:
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error). If anyone can guide me through here it would be much appreciated.
Thanks, Lior
回答1:
Turned out to be a stupid mistake. I injected in spring the user account instead of the principal name as the servicePrincipal.
来源:https://stackoverflow.com/questions/23731297/using-keytab-file-with-spring-security-kerberos-extension