Announcement Announcement Module
Collapse
No announcement yet.
Spring Security 3 + Kerberos + SPN Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 3 + Kerberos + SPN

    hi all
    i am trying to configure my Spring 3 app for kerberos authentication, but i cannot get my head around Service Principal Names.
    At the moment i have a working webapp that authenticates using Kerberos with the following setup:
    - app running on host http://myhost.domain.com:1234
    - SPN created as HTTP/myhost.domain.com

    FYI myapp is not running on an IIS, it is running on a tomcat instance.

    Originally, this application was running on http://tmphost.domain.com:1234, which has been decommissioned 6 months ago. Because we didnt want our clients to be affected, we setup a dns redirection that redirects http://tmphost.domain.com:1234 to http://myhost.domain.com


    After i enabled kerberos authentication on my webapp, i have noticed that :
    - If i use Firefox (properly configured for kerberos) i can access my app either at http://myhost.domain.com:1234 or http://tmphost.domain.com:1234
    - If i use python, i can access my app either at http://myhost.domain.com:1234 or http://tmphost.domain.com:1234
    - If i use IE (which most of our clients use), i can only access my application at http://myhost.domain.com:1234

    my app is also running on a production host http://prodhost.domain.com:5678. THe 'problem' is that the app on production host will be accessed also with this URL http://myapp.domain.com:5678, as we have a DNS redirection in place.

    from documentations i have read here http://support.microsoft.com/kb/929650
    Code:
    A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running. Therefore, a service instance might register an SPN for each name or alias of its host.
    So it appears that i will have to configure two separate SPNs , one as HTTP/prodhost.domain.com and another HTTP/myapp.domain.com

    However, SunJaasKerberosTicketValidator allows only one SPN to be configured....

    HOw shall i proceed then? my worry is that if i configure SPN to be HTTP/prodhost.domain.com, and someone access my app, using IE with http://myapp.domain.com the kerberos auth will fail

    Could anyone advise on how to proceed?

    w/kindest regards
    marco
Working...
X