0

i'a trying to deploy my jar spring boot application on windows but get error : [Krb5LoginModule] authentication failed KrbException: Cannot locate default realm

In my localhost, everything is OK with the authentication but whene i deploy the jar in the production server i got the error even if both windows are in the same campany doamin.

the system administrator told me that for other application, the authentication is based on Kerberos and iis so the ticket exchange for authentication is very easy.

Here's my security config :

 @Bean
    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider =
                new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        client.setDebug(true);
        provider.setKerberosClient(client);
        provider.setUserDetailsService(dummyUserDetailsService());
        return provider;
    }

    @Bean
    public SpnegoEntryPoint spnegoEntryPoint() {
        //return new SpnegoEntryPoint("/login");
        return new SpnegoEntryPoint();
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter =
                new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    @Bean
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
        KerberosServiceAuthenticationProvider provider =
                new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(sunJaasKerberosTicketValidator());
        provider.setUserDetailsService(dummyUserDetailsService());
        return provider;
    }
    

    

    @Bean
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
        SunJaasKerberosTicketValidator ticketValidator =
                new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal("HTTP/localhost@fgao.fr");
  
        ticketValidator.setKeyTabLocation(new 
    FileSystemResource("c:\\user\\tomcat.keytab"));
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    public DummyUserDetailsService dummyUserDetailsService() {
        return new DummyUserDetailsService();
    }

I don't know if i have to specify the keytab file because on windows no keytab or kb5.conf file is needed so the c:\user\tomcat.keytab file is empty.

Can someone help me with this please

Ayoub Hammami
  • 1
  • 1
  • 3

1 Answers1

0

You will need a Keytab file.
Keytab file contains keys which are required by kerberos module to decrypt the incoming kerberos token.

Keytab file is not out of the box present as it is specific to a user account in AD.
It has to be generated by your system admin and give it to you. You will need a service user (dedicated for your application). Generate keytab for it.
Copy it on your application server and specify its path in spring.

Check ktpass command on windows for more details about creating keytab.
You may also need to check for krb5 conf file, what it contains and how you can specify it inside Spring.

Bhushan Karmarkar
  • 625
  • 7
  • 22
  • Thanks, i finally found the issue, the app's launcher user was system and not in domain so not able de exchange ticker in kerberos, now my problem is held bu still must insert windows login + passwod to access the app and not in full SSO, do you know what's the issue ? regards – Ayoub Hammami Sep 11 '20 at 12:01
  • Add your application URL in the browser's local intranet trusted sites. Doing this, it will not give a popup – Bhushan Karmarkar Sep 11 '20 at 12:30
  • Thanks but i still have a problem for SSO configuration, in fact i must implement IIS or ADFS to make it possible ( without asking the domain controller for authentication ), How can i configure the embedded to tomcat to comunicate with IIS ou ADFS ? thanks – Ayoub Hammami Sep 15 '20 at 15:45
  • Regarding your first point - how did you manage to solve the keytab issue? without it, authentication simply wont work. Regarding your seconds point, you don't need ADFS. your application must negotiate with the browser to get the user's kerberos token by sending HTTP 401 and WWW-Authenticate:Negotiate header. I am not sure if this functionality is by default present in IIS. In java web app, this is the way to Negotiate. – Bhushan Karmarkar Sep 16 '20 at 04:15