My goal: implement SSO on a java-based web application. My problem: I'm not a security guy...
After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).
I used the samples in the following project: https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample
I realized that I need to create a keytab. When I tried to use the keytab I got the following error:
javax.security.auth.login.LoginException: Unable to obtain password from user
Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.
So I decided to check my keytab and see if it's ok. First, this is last command (after a long evolution) I used to create my keytab:
ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass MyPass /ptype KRB5_NT_PRINCIPAL
Of course I created an SPN for MyUser with the following command:
setspn -a HTTP/[email protected] MYDOMAIN.COM\MyUser
I tested the spn with the the following:
setspn -Q HTTP/[email protected]
And got a successful result:
Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
HTTP/MyUser
HTTP/[email protected]
Existing SPN found!
Now I wanted to test if I can obtain a ticket for MyUser by running the following command:
kinit [email protected]
I got a successful result ("new ticket is stored in cache file....")
Now I wanted to test it with my keytab:
kinit [email protected] -k -t http-web.keytab
Got the following exception:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
I used klist tool to see if my keytab contains any keys:
klist -e -K -k -t http-web.keytab
Got the following result:
KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00
As a last desperate attempt, I checked the following account options for MyUser:
I'm not sure if setting these options caused it, but now when I run
kinit [email protected]
I get the following error:
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error). If anyone can guide me through here it would be much appreciated.
Thanks, Lior
Turned out to be a stupid mistake. I injected in spring the user account instead of the principal name as the servicePrincipal.