Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Kerberos Extension: SPN's and keytab on AD or App server? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Kerberos Extension: SPN's and keytab on AD or App server?

    Mike, good work on this very useful extension.

    To clarify your proposed solution on the blog post, are you saying the SPN and keypass file need to be generated on the active directory server, as opposed to the keypass being created on the app server?


    Also, you mention that setting up a proper Kerberos environment can be complicated. I was under the impression, based on some microsoft documentation (this and this), that Active Directory uses Kerberos out of the box. Do you know of some docs that point to other configurations that must be made to enable this? I haven't found any on MSDN. We have IIS webapps that already use windows integrated authentication and are working, so I'm assuming the Kerberos environment is already set up for us to use and it's just a matter of me following your proposed solution to get windows integration auth working.


    btw, I'm interested to hear your take on Joe Khoobyar's suggestion on the blog post about using:
    Microsoft Windows SSPI for native Kerberos/SPNEGO. This forgoes the need for using KTPASS, works seamlessly in complex cross-forest authentication scenarios, and is critical for full single sign-on integration when your organization uses a more "Microsoft centric" Kerberos solution… such as Centrify.
    .

  • #2
    bump..

    any thoughts? anyone? what's the best way to get in touch with Mike to help out with this extension?

    Comment


    • #3
      The keytab file is like a private key, or set of pre-authenticated credentials against the KDC. You're generating a keytab for the service principal representing the web application. Once the keytab is generated (using the ktpass command on the AD server), you're copying this file to the application server and using it in your Spring Sec configuration. Does that answer your question?

      Comment


      • #4
        yes, thanks!

        The problem was that we have Windows 2003 Servers, and that ktpass utility is not installed by default on that OS (as it is in Windows 2008). So you have to download and install Windows Server 2003 Support Tools package which has ktpass and other goodies.

        Comment


        • #5
          > Active Directory uses Kerberos out of the box

          This is true.


          > other configurations that must be made to enable this?

          Here's an alternative library that does the same thing.

          http://spnego.sourceforge.net


          > This forgoes the need for using KTPASS

          This is also true.

          KTPASS is NOT required.

          The spnego sourceforge project does NOT use ktpass.

          Comment

          Working...
          X