1

I'm running two sample web apps that are secured by Spring Security Kerberos. After logging into one, I expected the other app to not require login. Here are the details of my setup:

On Ubuntu Linux, I have installed Kerberos and configured per this documentation. I replaced EXAMPLE.ORG with my domain, MYDOMAIN.LOCAL. Here's my krb5.conf:

[libdefaults]
        default_realm = MYDOMAIN.LOCAL
        kdc_tcp_port = 12345 
        kdc_udp_port = 12345

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        MYDOMAIN.LOCAL = {
                kdc = localhost
                admin_server = localhost
        }

I also added two service principals: HTTP/subdomain1.mydomain.local@MYDOMAIN.LOCAL and HTTP/subdomain2.mydomain.local@MYDOMAIN.LOCAL.

Then I built this Spring Security Kerberos sample code following this documentation.

I ran two instances of this sample app with different config parameters:

App 1

server:
    port: 9122
app:
    service-principal: HTTP/subdomain1.mydomain.local@MYDOMAIN.LOCAL
    keytab-location: /tmp/tomcat.keytab

App 2

server:
    port: 9123
app:
    service-principal: HTTP/subdomain2.mydomain.local@MYDOMAIN.LOCAL
    keytab-location: /tmp/tomcat2.keytab

Both app instances are running on the same Linux machine hosting my Kerberos (KDC) instance.

On my local Windows machine, I configured Firefox per this. I set network.negotiate-auth.trusted-uris=http://subdomain1.mydomain.local,http://subdomain2.mydomain.local.

I pointed my host file (Windows machine) to such that subdomain2.mydomain.local points to the same IP address as subdomain1.mydomain.local (since my DNS doesn't know about subdomain2).

Using Firefox, I navigated to http://subdomain1.mydomain.local/hello which is secured. As expected I got the login page. I logged in as user1 and got the hello page (which displays `Hello user1@MYDOMAIN.LOCAL).

On another Firefox tab, I navigated to http://subdomain2.mydomain.local/hello. I was prompted to login again. Why?

James
  • 2,876
  • 18
  • 72
  • 116
  • did you see this https://github.com/spring-projects/spring-security-kerberos/issues/103 ? – badger Oct 25 '21 at 11:12
  • @ha - I had not seen that. Thanks for referencing. I read it but I'm not sure where I'd put the delegation code that reuses the context. Do you know? Perhaps a `Filter`? I'm also not sure what to do with the `GSSContext` once I have it. Any thoughts? – James Oct 25 '21 at 15:39
  • i think it's normal here. subdomain 1 and subdomain 2 are different sites with different key tabs. Please try with 1 key tab and apply [domain_realm] which config for sub domain according to the topic: https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/domain_005frealm.html#domain_005frealm – Huy Nguyen Oct 29 '21 at 13:13
  • @huy - I'm now pointing both App 1 and App 2 to the same key tab. I also added a `[domain_realm]` section to my `krb5.conf` file. It has the following two lines: `subdomain1.mydomain.local = MYDOMAIN.LOCAL` and `subdomain2.mydomain.local = MYDOMAIN.LOCAL`. I'm seeing the same behavior as described in the OP. Any ideas on why SSO is still not working with these changes? – James Nov 01 '21 at 20:27
  • @James Do you regenerate the keytab base on main domain? – Huy Nguyen Nov 02 '21 at 05:39
  • @huy No. Which principal corresponds to the main domain? I tried `ktadd -k /tmp/domain.keytab K/M@MYDOMAIN.LOCAL` and `ktadd -k /tmp/domain.keytab krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL` in kadmin. Both commands returned without creating the file. – James Nov 02 '21 at 15:20

2 Answers2

1

Did you log in on your windows machine using the same linux kdc? As i understand your post, the kdc is no AD Domain Controller. So Windows will not generate a negotiaton token that may be matched on your kdc if you login standalone (Windows Home Edition). Kerberos is a triangle trust, so the kdc has to trust the client (windows) and the tomcat server, that forwards the request. Only then the spring security ticket validator may accept the token sent from your firefox.

Theodor Heuss
  • 11
  • 3
0

Please consider the following two options

    1. If you are trying to go across domains and expect the same login token to work, then please consider your approach/solution and as setup single sign on, look here.
    1. Now if you are having issues with windows forcing you to re-login, it could be a trust & configuration issue.
Transformer
  • 6,963
  • 2
  • 26
  • 52
  • Thanks for the links but this doesn't answer my question. Can you tell me specifically why SSO is not working based on my OP? – James Nov 01 '21 at 21:45