I'm trying to get the sample spring security kerberos application running, before I try and integrate it into my actual application. This is the app I'm running: https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth/src/main
I have setup the spn, and created the keytab, when running the application, and am attempting to access using chrome, I get back an error 500
Which on the server console shows up as:
Negotiate Header was invalid:
org.springframework.security.authentication.BadCredentialsException:
GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:253)
I can see from the code that this happens when getSrcName() from the GSSContext returns null.
Fow now I'm running just on my laptop, to try and get it working. The java process that's running the spring app is running under the same windows account that I use to login. DNS is configured so that I can access my laptop using laptop-name.mycompany.com Here's what I did for the spn and keytab:
setspn -A HTTP/laptop-name.mycompany.com:8080 myWindowsUsername
ktpass -princ HTTP/laptop-name.mycompany.com:8080@MYCOMPANY.COM -pass password123 -mapuser myWindowsUsername@mycompany.com -out keytab.keytab -ptype KRB5_NT_PRINCIPAL
Inside of the java security directory I have added krb5.conf which contains the following:
[Libdefaults]
permitted_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
dns_lookup_kdc = true
dns_lookup_realm = false
[Domain_realm]
mycompany.com = MYCOMPANY.COM
.mycompany.com = MYCOMPANY.COM
I'm not sure if it is a problem, but when I use kinit to validate the keytab I see this at the bottom of the output
Looking for keys for: -V@MYCOMPANY.COM
default etypes for default_tkt_enctypes: 23 23 18 17 16.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
The output also suggests that the prinipal is -V@MYCOMPANY.COM Which doesn't seem right.
I'm still somewhat of a novice around usage of keytabs and the GSS api. I'm not sure whether this is a problem with my keytab generation, the spn setup or something about my system configuration, any help would very much apprechiated.
