Configuring Tomcat 6 with multiple SPNs

Question

I'm trying to configure Tomcat 6 on Windows server 2008 to use recognise multiple Kerberos tickets but not having much luck. I've got a single keytab containing multiple SPNs but seem to only be able to specify a single principal name in the spnego config.

Reason for multiple SPNs is so I can authenticate connections both directly to the server but also through a load balancer alias.

Has anyone tried this before and have any pointers?

login.conf:

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="mykeytab.keytab"
principal=HTTP/svc_account.domain.com@DOMAIN.COM;
};

score 1 · Answer 1 · answered Dec 04 '14 at 08:06

From Java 7, as far as I know, you can use a wildcard principal principal="*".

The principal name can either be a simple user name, a service name such as host/mission.eng.sun.com, or "*".

From: http://www.grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/security/auth/module/Krb5LoginModule.java#Krb5LoginModule

Configuring Tomcat 6 with multiple SPNs

1 Answers1