I thought it could be a good idea to use kerberos on Windows 2003 to authenticate a Java server application against active directory. That way, we will not have to put a password in a file. But this does not work.
[2012-09-20 17:42:19,301] ERROR Cannot authenticate server via JAAS
javax.security.auth.login.LoginException: No LoginModules configured for KerberosLogin
at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
If I run the exact same code and configuration on Windows XP, then authentication works. In both cases I am using Java 7 u07.
It turned out my TGT that I had aquired via JDK's kinit command had expired.
Related
As we are in corporate environment and with basic configuration changes, SSH Kerberos working seamlessly in OpenSSH
SSH -K server#domain.com
Since default Kerberos setup didn't work, we have installed MIT Kerberos and generated ktab files for the application uses.
However we are not aware how to setup Kerberos settings and properties for JSch. Password based authentication is working fine. But not sure how to implement the gssapi-with-mic. Any pointers or suggestion would be grateful.
Jsch connection with Kerberos
How to create these files with valid the values and explanation would
be grateful.
JSch is here for more than a decade, I don't see any single workable
sample with Kerberos/GSSAPI authentication online. If anyone
successfully implemented, kindly let me know.
JSch has Kerberos authentication enabled by default (what is a frequent cause of problems).
So you should not need to do anything special to use it in JSch. Just try to login with username only.
I developing a web application with kerberos (v1.0.1) authentication.
My aim is to provide a login through the windows authentication Active Directory (Windows Server 2008 R2).
The problem is that the browser send to the Back End NTLM ticket instead of Kerberos ticket.
I used wireshak to check the communication work flow:
I make a rest call on the back end
application server response to me 401
browser call the kerberos service on the active directory and received the TGS_REP
now I expected that browser calls my rest service with the Kerberos token, but I received the NTLM token instead
My back end service, developed in JAVA, throw the following exception:
GSSException: Defective token detected
EDIT 1:
The first problem is that we used the IP to generate the SPN and the KEYTAB. So, we created the keytab in this way:
ktpass /out c:\keytab\myuser.keytab /mapuser myuser#company.com /princ HTTP/myuser.company.com#WELLD.CH /pass mypassword /ptype KRB5_NT_PRINCIPAL /crypto All
Then we added our BE server on the DNS
<ip_server> myuser.company.com
At the moment we can login with kerberos, and the BE (spring boot) successfully validate the kerberos' token, but we can't download the user information with KerberosLdapContextSource, so we adopt a workaround and used the DefaultSpringSecurityContextSource Bean.
Someone have any idea or references to rely on?
Thanks
I have kerberos setup on a series of machines and cannot login to a default deployment of Jenkins. My backend configuration looks like the following:
firewall.local (CentOS 7)
apache.local (CentOS 7)
tomcat.local (CentOS 7, Tomcat 7, Oracle JDK 7)
firewall.local forwards requests on 80 to apache.local. apache.local has AJP setup to tomcat.local
All webapp's work fine. I have them protected by a kerberos login being surfaced by apache.
The problem is when I try to hit firewall.local/jenkins (internally this ends up being routed all the way to tomcat.local:8009/jenkins). I get a dialog asking for my username and password for Kerberos. This works. Then I'm prompted with a dialog box for Jenkins.
I've tried several kerberos and non-kerberos combinations and they always fail resulting in continus prompts for user names and passwords.
Is there a default username and password for Jenkins? Is there something I might be missing?
I didn't know that Jenkins setup has changed. I had to first go through the wizard which first asked for a password located at
/opt/tomcat/.jenkins/secrets/initialAdminPassword
After the wizard compelted and setup my user I was able to login.
I installed LDAP server on my virtual machine(centOS) running on windows, now I want to access it from windows
So how do I enable remote access to LDAP server.
I tried installing 389 Directory Server (which is actually meant for fedora), on some forum I heard its a easy GUI to do the command line jobs easily, but I did not find the option to enable the remote login or any ip filters.
Note:
I am trying to use Java to login the LDAP server for authentication and authorization, for that I am using unboundid api
You can suggest which api should I use, I am just a beginner.
Update:
my java code
LDAPConnection ldap = new LDAPConnection("http://xxx.xx.xx.xxx", 9830);
error
an error occurred while attempting to connect to server http://xxx.xx.xx.xxx:9830: java.io.IOException: An error occurred while attempting to establish a connection to server http://xxx.xx.xx.xxx:9830: java.net.UnknownHostException: http://xxx.xx.xx.xxx')
I also tried ldap://xxx.xx.xx.xxx instead of http://xxx.xx.xx.xxx
Don't specify the server address as a URL. Just specify the address as either an IP address or resolvable name. So instead of "http://xxx.xx.xx.xxx" just use "xxx.xx.xx.xxx".
I'm new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can't find any specifics with my constraints. Here is what I have :
An Active Directory Server on which users authenticate to log into their workstations
Each end user uses IE 7 to connect to my intranet application
An Apache server with load balancing
Some Tomcats servers acting as workers for the Apache server.
on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
my tomcats need to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client's principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I've been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user's ticket he ask it like a basic auth. Apparently spgneo
Thanks
Ok I got this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb.
On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com#MYDOM.COM
Put this keytab file on your apache server and make it readable only
by your Apache user.
Then edit your apache conf with these directive for your secure
location
apache.conf:
[…]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
[… some other stuff …]
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentification requise"
KrbAuthRealms MYDOM.COM
#this allows user to be saved in the request
KrbSaveCredentials on
#this one force Negotiate AuthType instead of basic fallback
KrbMethodNegotiate on
#this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user#MYDOM.COM"
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Krb5Keytab /install/binaries/httpd/apache.keytab
KrbServiceName HTTP
require valid-user
</LocationMatch>
And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is really important because without it you tomcat won't retrieve any info from tomcat auth.
Don't forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.