using keytab file with spring security kerberos extension
Asked Answered
C

1

1

My goal: implement SSO on a java-based web application. My problem: I'm not a security guy...

After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).

I used the samples in the following project: https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample

I realized that I need to create a keytab. When I tried to use the keytab I got the following error:

javax.security.auth.login.LoginException: Unable to obtain password from user

Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.

So I decided to check my keytab and see if it's ok. First, this is last command (after a long evolution) I used to create my keytab:

ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass MyPass /ptype KRB5_NT_PRINCIPAL

Of course I created an SPN for MyUser with the following command:

setspn -a HTTP/[email protected] MYDOMAIN.COM\MyUser

I tested the spn with the the following:

setspn -Q HTTP/[email protected]

And got a successful result:

Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
    HTTP/MyUser
    HTTP/[email protected]

Existing SPN found!

Now I wanted to test if I can obtain a ticket for MyUser by running the following command:

kinit [email protected]

I got a successful result ("new ticket is stored in cache file....")

Now I wanted to test it with my keytab:

kinit [email protected] -k -t http-web.keytab

Got the following exception:

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:

I used klist tool to see if my keytab contains any keys:

klist -e -K -k -t  http-web.keytab

Got the following result:

KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00

As a last desperate attempt, I checked the following account options for MyUser:

  • Use Kerberos DES encryption types for this account
  • The account suppoerts Kerberos AES 128 bit encryption
  • The account suppoerts Kerberos AES 256 bit encryption

I'm not sure if setting these options caused it, but now when I run

kinit [email protected]

I get the following error:

Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)

So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error). If anyone can guide me through here it would be much appreciated.

Thanks, Lior

Carboxylate answered 19/5, 2014 at 6:47 Comment(0)
C
0

Turned out to be a stupid mistake. I injected in spring the user account instead of the principal name as the servicePrincipal.

Carboxylate answered 20/5, 2014 at 7:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.