1 Reply Latest reply on Feb 28, 2013 10:43 AM by C.S. Lauritsen

    SPNEGO Kerberos Authentication with mod_cluster proxy

    C.S. Lauritsen Newbie

      I am able to get SPNEGO to work with my setup. I've used jboss-negotiation-toolkit with success, I can access the secured section from my windows AD-authenticated PC without being prompted to login to the webapp.

       

      I've read that negotiation breaks when the hostname the browser sees for the request is different that the hostname of the application server running the SPNEGO check. I guess this makes sense, but I do have a problem, given this scenario:

      host A: runs apache with mod_cluster

      host B: runs a jboss application server, clustered with host C

      host C: runs a jboss application server, clustered with host B

       

      Hosts B & C register themselves with mod_cluster on host A.

       

      Now, assuming my users don't know anything about hosts B & C, only host A, e.g. they access the cluster through a  URL like http://hostA.example.com/myWebApp/

      how can I setup SPNEGO authentication? Is this possible?

       

      If this has been addressed already, I'd appreciate a link to the discussion--I wasn't able to find it with the search terms I tried.

        • 1. Re: SPNEGO Kerberos Authentication with mod_cluster proxy
          C.S. Lauritsen Newbie

          I was able to make this work. The key was that the jboss servers need to login to kerberos with a user id that has the SPN of the webserver registered to it. The kerberos should be a dedicated user whose password doesn't expire. This was just a regular user, not a machine trust account.

           

          I'm using domain mode. Given the following:

           

            Kerberos Realm: COMPANY.COM

            AD Domain: COMPANY

            webserver running mod_cluster: webserver.company.com

            jboss master: jbossmaster.company.com

            jboss slave1: jbossslave1.company.com

            user account whose password doesn't expire: jbossuser, or COMPANY\jbossuser

           

          1. register the webserver SPN & create a keytab file

            ktpass -princ HTTP/webserver.company.com@COMPANY.COM -pass jbpassword -kvno 0 -mapuser COMPANY\jbossuser -out c:\jboss.keytab -ptype KRB5_NT_PRINCIPAL

          2. store password for register for java (ktab is part of jdk, use the same jdk version as your jboss server)

             ktab.exe -k c:\jboss.keytab -a jbossuser@COMPANY.COM

          3. transfer c:\jboss.keytab to jbossmaster and jbossslave1

          4. add something like this to your domain.xml security subsystem:

          <security-domain name="host" cache-type="default">

                              <authentication>

                                        <login-module code="Kerberos" flag="required">

                                                  <module-option name="doNotPrompt" value="true" />

                                                  <module-option name="storeKey" value="true" />

                                                  <module-option name="useKeyTab" value="true" />

                                                  <module-option name="useTicketCache" value="true" />

                                                  <module-option name="debug" value="true" />

                                                  <module-option name="keyTab" value="/path/to/jboss.keytab" />

                                                  <module-option name="principal" value="HTTP/webserver.company.com" />

                                        </login-module>

                              </authentication>

                    </security-domain>

           

           

                    <security-domain name="app-security-domain" cache-type="default">

                              <authentication>

                                        <!-- allow, but do not require, password-based logins -->

                                        <login-module code="RealmDirect" flag="sufficient">

                                                  <module-option name="password-stacking" value="useFirstPass" />

                                        </login-module>

                                        <login-module code="SPNEGO" flag="sufficient">

                                                  <module-option name="password-stacking" value="useFirstPass" />

                                                  <module-option name="serverSecurityDomain" value="host" />

                                                  <module-option name="removeRealmFromPrincipal" value="true" />

                                                  <module-option name="debug" value="true" />

                                        </login-module>

                              </authentication>

                              <mapping>

                                        <!-- you'll need to get roles from something else like ldap, database,

                                                  whatever -->

                                        <!-- here we take static role mappings from jboss-web.xml -->

                                        <mapping-module code="DeploymentRoles" type="role" />

                              </mapping>

                    </security-domain>

           

          5. if you use DeploymentRoles mapping provider, add something like this to jboss-web.xml

            

          <security-role>

                              <role-name>AdminRole</role-name>

                              <principal-name>admin</principal-name>

                              <principal-name>developer</principal-name>

                    </security-role>

           

           

                    <security-role>

                              <role-name>UserRole</role-name>

                              <principal-name>admin</principal-name>

                              <principal-name>developer</principal-name>

                    </security-role>

           

           

                    <security-role>

                              <role-name>DeploymentRole</role-name>

                              <principal-name>admin</principal-name>

                              <principal-name>developer</principal-name>

                    </security-role>

           

           

          Also, I did set the system properties java.security.krb5.kdc & java.security.krb5.realm. This isn't stricly necessary but for us (we have a large global AD network) i needed to point to a local server rather than jumping around the globe.

           

          If you run into trouble, setting the system properties javax.net.debug & sun.security.krb5.debug were extremely helpful.