Search code examples
kerberosspnegoapachedsgssapikeytab

Why can't I do a kinit with an SPN?

I was following this tutorial on setting up Apache Directory Studio for a webapp to develop and test out kerberos authentication (using spnego). I set up the ldap and ticket granting service as well as some basic user accounts. I am able to do a kinit with the user accounts, so I know that portion is working well.

So, the current logs from that are indicating that it cannot decrypt the ticket. I tried using the keytab file with kinit and it wasn't working, so then I just tried to do a kinit and manually type in the password - which also doesn't work (even after verifying the password is correct in Apache Directory Studio). Here is the ldif file I used for creating the spn:

dn: uid=HTTP/example.com,ou=users,dc=security,dc=example,dc=com
objectClass: top
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: person
objectClass: organizationalPerson
cn: HTTP/example.com
krb5KeyVersionNumber: 1
krb5PrincipalName: HTTP/[email protected]
sn: Something
uid: HTTP/example.com
userPassword: secret

whenever I do a kinit -V HTTP/example.com and type in the password, I just get:

HTTP/[email protected]'s Password: 
kinit: Password incorrect

This is my krb5.conf:

[libdefaults]
debug = true
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
    kdc = example.com:60088
    admin_server = example.com:60088
    default_domain = EXAMPLE.COM
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Solution

  • So, apparently you cannot setup an SPN that is the same as the default realm. I had to create a subdomain (myapp.example.com) and import the associated new ldif file:

    dn: uid=HTTP/myapp.example.com,ou=users,dc=security,dc=example,dc=com
objectClass: top
objectClass: krb5KDCEntry
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: person
objectClass: organizationalPerson
cn: HTTP/myapp.example.com
krb5KeyVersionNumber: 1
krb5PrincipalName: HTTP/[email protected]
sn: myapp
uid: HTTP/myapp.example.com
userPassword: secret

    After that, I was able to kinit with HTTP/myapp.example.com. I was then able to setup a keytab and load that into my webserver and got SSO working!