Issues setting up kerberos with tc server

Question

tc server on red hat linux I have been trying to follow this example: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html AD service account setup setspn and ktpass commands executed to create spn and keytab

If I use the mapuser option with the ktpass command and allow the userprincipalname to be changed it will work for that one spn. I cannot get it configured to be able to use multiple spns for one AD service ID. AD account is setup for delegation.

jaas.conf snipit

com.sun.security.jgss.krb5.initiate {
        com.sun.security.auth.module.Krb5LoginModule required
        useTicketCache=false
        useKeyTab=true
        keyTab="<path>/test5a.keytab"
        principal="<fqdn>"
        storeKey=true
        doNotPrompt=true;
};

com.sun.security.jgss.krb5.accept {
        com.sun.security.auth.module.Krb5LoginModule required
        useTicketCache=false
        useKeyTab=true
        keyTab="<path>/test5a.keytab"
        principal="HTTP/<fqdn>"
        storeKey=true
        doNotPrompt=true;
};

If I change the upn to anything but the spn I am working with it fails with either could not find user in kerberos database. What am I missing to be able to use one AD service account for multiple spns?

score 0 · Answer 1 · answered Sep 11 '14 at 22:22

0

The SPN is also linked to the keytab, hence you need to generate a new keytab file for each SPN.

answered Sep 11 '14 at 22:22

Maarten Winkels

2,407
16
15

Yep and each time we create a new keytab/SPN it reset the upn and and only 1 works at any given time. – Mike Sep 12 '14 at 17:03

Issues setting up kerberos with tc server

1 Answers1