Kerberos SSO implemented with Java

Question

i am trying to created a JAVA program that will get my windows users credentials, then connect to the kerberos on my unix box and authenticate and allow me to use a service, for an example an LDAP server.

All examples i have found tend to on run ask me for my password, i do not want this - I wish to be able to run the program and 'if by magic' im kerberos authenticated.

Any links and example are appreciated.

Answer 1

We have successfully setup SSO using Kerberos with a Java EE application and authenticating against a Windows Active Directory after many weeks of trials and web crawling.

JBOSS Negotiation and Spring Kerberos have both worked for us. However, both sets of documentation are not accurate enough to get you off the ground running. Put simple for either solution...

1. Create Service User in Active Directory.
2. Use ktpass to create a keytab file for this user. (Many gotchas with ktpass as listed below)
3. Use setspn -A to fix ktpass.
4. Ensure your krb5.conf (linux) or krb5.ini (windows) is correct.
5. Ensure you are not running the client on the same box as a server.
6. Ensure your times are in sync across your domain.
7. Test Kerberos using kinit in the JDK.
8. Configure your web application to delegate authentication via the provided filter.
9. Configure an XML file to use the appropriate service principal user as created initially.
10. Run your service as the principal user!!!!!!!!!
11. If using Spring, you can then implement a UserDetailsService to query LDAP (active directory) and set roles on the user principal.
12. From within your application the user principal should !=null.

ktpass problems:

1. Ensure your service user is set to user cannot change password in Active Directory.
2. Ensure you provide the password in the command line.
3. Ensure that you can still open a command prompt as that user after generating the keytab.
4. Ensure you specify the KRB5_NT_PRINCIPAL.
5. Format should be ktpass /out c:\service.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass /ptype KRB5_NT_PRINCIPAL
6. Add the fully qualified service principal using setspn -A as follows: setspn –A HTTP/hostname.testdomain.server.com userservice
7. DO NOT RESET THE SERVICE PRINCIPAL USERS PASSWORD (You will have to regenerate your keytab).

Finally, before every single test, use kinit purge to clear cached tickets.

Also, duplicate SPN's will break things badly! setspn -X in windows server 2008 will detect this (or google for script), if in doubt when doing this, start afresh with new service user and principal name every time!

Hope this helps someone avoid the pain I've had.