Announcement Announcement Module
No announcement yet.
Spring Security 3 + Kerberos + SPN Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 3 + Kerberos + SPN

    hi all
    i am trying to configure my Spring 3 app for kerberos authentication, but i cannot get my head around Service Principal Names.
    At the moment i have a working webapp that authenticates using Kerberos with the following setup:
    - app running on host
    - SPN created as HTTP/

    FYI myapp is not running on an IIS, it is running on a tomcat instance.

    Originally, this application was running on, which has been decommissioned 6 months ago. Because we didnt want our clients to be affected, we setup a dns redirection that redirects to

    After i enabled kerberos authentication on my webapp, i have noticed that :
    - If i use Firefox (properly configured for kerberos) i can access my app either at or
    - If i use python, i can access my app either at or
    - If i use IE (which most of our clients use), i can only access my application at

    my app is also running on a production host THe 'problem' is that the app on production host will be accessed also with this URL, as we have a DNS redirection in place.

    from documentations i have read here
    A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running. Therefore, a service instance might register an SPN for each name or alias of its host.
    So it appears that i will have to configure two separate SPNs , one as HTTP/ and another HTTP/

    However, SunJaasKerberosTicketValidator allows only one SPN to be configured....

    HOw shall i proceed then? my worry is that if i configure SPN to be HTTP/, and someone access my app, using IE with the kerberos auth will fail

    Could anyone advise on how to proceed?

    w/kindest regards