creating service principal for springsecurity kerb

2019-07-08 10:25发布

问题:

I'm following this post http://blog.springsource.com/2009/09/28/spring-security-kerberos/ to set up a service principal on a local server which i'll be using to test the spring security integration with active directory. The server has tomcat running where i deploy my application and I access it by http://localhost:8080/myapp

Question

What should be my service provider name?

The article says:

For this to work, every web applications needs to be registered at the Kerberos server and gets a service prinicipal and a shared secret assigned. For web applications, the service principal must be "HTTP/@DOMAIN". For example "HTTP/web.springsource.com@SPRINGSOURCE.COM", if your app runs on web.springsource.com.

Since I'm running on localhost I guess it will be HTTP/localhost@.... what do I put inplace of @SPRINGSOURCE.COM?

回答1:

To Kerberos working, you should configure DNS and AD server in your network. Application server and the client machine must use the DNS and client machines must use AD authentication. Use the name "localhost" is NOT permissible. The application server may not be in the domain.

Suppose all machines in the domain then you need is:

  1. Assign an application server dns name eg appserver (appserver.yourdomain.local)
  2. Add the DNS name of your server applications in the area of ​​direct and reverse DNS-server. (link)
  3. Create a simple user in the domain and set the option "not change password" and "Password never expires is limited" (eg username myUser)
  4. On the server, the domain controller, open a command prompt and run the following commands:

    C:>setspn -A HTTP/appserver myUser

    C:>setspn -A HTTP/appserver.yourdomain.local myUser

  5. Check the correct:

    C:>setspn -l myUser (if will display what you entered previously, then everything is OK)

  6. Next, create a key file:

    C:>ktpass /out C:/myUser.keytab /mapuser myUser@YOURDOMAIN.LOCAL /princ HTTP/appserver.yourdomain.local@YOURDOMAIN.LOCAL /pass +rndPass /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

That's it, now you can use the file myUser.keytab and principal name HTTP/appserver.yourdomain.local in your web application

may be useful in the future:

  • Blank page after user cancels basic authentication
  • Combine custom authentication filter with spring-security-kerberos