1

I developing a web application with kerberos (v1.0.1) authentication.

My aim is to provide a login through the windows authentication Active Directory (Windows Server 2008 R2).

The problem is that the browser send to the Back End NTLM ticket instead of Kerberos ticket. I used wireshak to check the communication work flow:

  1. I make a rest call on the back end
  2. application server response to me 401
  3. browser call the kerberos service on the active directory and received the TGS_REP
  4. now I expected that browser calls my rest service with the Kerberos token, but I received the NTLM token instead

My back end service, developed in JAVA, throw the following exception:

GSSException: Defective token detected

EDIT 1:

The first problem is that we used the IP to generate the SPN and the KEYTAB. So, we created the keytab in this way:

ktpass /out c:\keytab\myuser.keytab /mapuser myuser@company.com /princ HTTP/myuser.company.com@WELLD.CH /pass mypassword /ptype KRB5_NT_PRINCIPAL /crypto All

Then we added our BE server on the DNS

<ip_server>  myuser.company.com

At the moment we can login with kerberos, and the BE (spring boot) successfully validate the kerberos' token, but we can't download the user information with KerberosLdapContextSource, so we adopt a workaround and used the DefaultSpringSecurityContextSource Bean.

Someone have any idea or references to rely on?

Thanks

T-Heron
  • 5,385
  • 7
  • 26
  • 52
Matteo Codogno
  • 1,569
  • 6
  • 21
  • 36
  • So, does SSO actually work with NTLM, or does that fail as well? – T-Heron Nov 17 '16 at 16:03
  • Not enough background given here other than to guess at possible solutions. Could be that GSSAPI tossed out the defective token either because you're coming in from an untrusted domain, or perhaps you recently replaced the keytab and didn't restart your application service afterwards. – T-Heron Nov 24 '16 at 02:36

0 Answers0