0

My computer(Windows, JDK7 update 21 x64), such as mybox.domain2.company.com, is connected to a domain of my company. I can access a site in three different urls:

http://mysite.domain1.company.com

or

http://XXX.XXX.XXX.XXX(ip format)

or

http://mysitealias

via negotiate authentication in IE, Firefox, etc. Here domain1.company.com and domain2.company.com are two domains in my company. This site is placed in IIS 7, and its authentication is "Negotiate".

After googling and configuring kerberos, I can use URLConnection in java to access 

http://mysite.domain1.company.com

. However, I can use IP or host alias in browsers to do that, but not in Java. Can anyone achievie direct IP access or host alias access?

krb5.conf:

[libdefaults]
    default_realm = DOMAIN2.COMPANY.COM
    default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[domain_realm]
    .domain1.company.com = DOMAIN1.COMPANY.COM
    .domain2.company.com = DOMAIN2.COMPANY.COM

login.conf:

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required;
};

(Please note all host names are just given out for example.)

Bobby Zhou
  • 33
  • 4

1 Answers1

1

Kerberos is not designed to work on IP addresses. Stick to hostnames only.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • It may be ture, but 1. Browsers can access the page via IIS negotiate. I want to know how browsers handle this. 2. Even if IP is not supported, what about domain aliases? – Bobby Zhou Jun 02 '13 at 13:43
  • Simply because it's Negotiate. If Kerberos fails, the browser will fall back to NTLM. – Michael-O Jun 02 '13 at 18:57
  • I also thought there might be some fall back. But I think I handled the NTLM correctly(can access other NTLM only sites), but the site we talked about cannot trigger the ntlm authentication part of my code. So if we can correctly handle this, the problem will be solved. Thanks for your guide. Can you give some further information about how to fall back and handle this in Java? – Bobby Zhou Jun 03 '13 at 02:37
  • I would like to describe it more clearly: There is built-in ntlm support for URL class in Windows Java 7, and I handled ntlm with jcifs for Apache HttpClient. None of this work if you access a negotiate site via ip or domain aliases with kerberos configured. So I want a workaround. – Bobby Zhou Jun 03 '13 at 03:25
  • Why don't you simply use FQDN and your problems are gone? Keep in mind that NTLM is proprietary and no open source implemention will probably match the one from MS. Java 8 has NTLM support and Apache HttpClient seems to have. If server requires `Negotiate` the client has to perform the fallback automatically without YOUR intervention but the JDK has only support for SPNEGO with Kerberos, no NTLM. – Michael-O Jun 03 '13 at 05:58
  • That's because my java tool need to collect site information from user to do a web test and the user would like to input a short domain alias for the site address. If aliases is supported it would be more kind. Anyway, thanks for your confirmation of currently lack of SPNEGO ntlm fall back support in Java. – Bobby Zhou Jun 04 '13 at 05:58
  • Is there anyway to force java client to send ntlm response to server and match the "Negotiate"? – Bobby Zhou Jun 04 '13 at 06:09
  • No, unless the server requests NTLM or Kerberos fails. – Michael-O Jun 04 '13 at 07:00