1 Reply Latest reply on Feb 28, 2013 10:43 AM by clauritsen

SPNEGO Kerberos Authentication with mod_cluster proxy

clauritsen Feb 25, 2013 8:46 AM

I am able to get SPNEGO to work with my setup. I've used jboss-negotiation-toolkit with success, I can access the secured section from my windows AD-authenticated PC without being prompted to login to the webapp.

I've read that negotiation breaks when the hostname the browser sees for the request is different that the hostname of the application server running the SPNEGO check. I guess this makes sense, but I do have a problem, given this scenario:

host A: runs apache with mod_cluster

host B: runs a jboss application server, clustered with host C

host C: runs a jboss application server, clustered with host B

Hosts B & C register themselves with mod_cluster on host A.

Now, assuming my users don't know anything about hosts B & C, only host A, e.g. they access the cluster through a URL like http://hostA.example.com/myWebApp/

how can I setup SPNEGO authentication? Is this possible?

If this has been addressed already, I'd appreciate a link to the discussion--I wasn't able to find it with the search terms I tried.

1. Re: SPNEGO Kerberos Authentication with mod_cluster proxy

clauritsen Feb 28, 2013 10:43 AM (in response to clauritsen)

I was able to make this work. The key was that the jboss servers need to login to kerberos with a user id that has the SPN of the webserver registered to it. The kerberos should be a dedicated user whose password doesn't expire. This was just a regular user, not a machine trust account.

I'm using domain mode. Given the following:

Kerberos Realm: COMPANY.COM
AD Domain: COMPANY
webserver running mod_cluster: webserver.company.com
jboss master: jbossmaster.company.com
jboss slave1: jbossslave1.company.com
user account whose password doesn't expire: jbossuser, or COMPANY\jbossuser

1. register the webserver SPN & create a keytab file
ktpass -princ HTTP/webserver.company.com@COMPANY.COM -pass jbpassword -kvno 0 -mapuser COMPANY\jbossuser -out c:\jboss.keytab -ptype KRB5_NT_PRINCIPAL
2. store password for register for java (ktab is part of jdk, use the same jdk version as your jboss server)
   ktab.exe -k c:\jboss.keytab -a jbossuser@COMPANY.COM
3. transfer c:\jboss.keytab to jbossmaster and jbossslave1
4. add something like this to your domain.xml security subsystem:
<security-domain name="host" cache-type="default">
                    <authentication>
                              <login-module code="Kerberos" flag="required">
                                        <module-option name="doNotPrompt" value="true" />
                                        <module-option name="storeKey" value="true" />
                                        <module-option name="useKeyTab" value="true" />
                                        <module-option name="useTicketCache" value="true" />
                                        <module-option name="debug" value="true" />
                                        <module-option name="keyTab" value="/path/to/jboss.keytab" />
                                        <module-option name="principal" value="HTTP/webserver.company.com" />
                              </login-module>
                    </authentication>
          </security-domain>

          <security-domain name="app-security-domain" cache-type="default">
                    <authentication>
                              
                              <login-module code="RealmDirect" flag="sufficient">
                                        <module-option name="password-stacking" value="useFirstPass" />
                              </login-module>
                              <login-module code="SPNEGO" flag="sufficient">
                                        <module-option name="password-stacking" value="useFirstPass" />
                                        <module-option name="serverSecurityDomain" value="host" />
                                        <module-option name="removeRealmFromPrincipal" value="true" />
                                        <module-option name="debug" value="true" />
                              </login-module>
                    </authentication>
                    <mapping>
                              
                              
                              <mapping-module code="DeploymentRoles" type="role" />
                    </mapping>
          </security-domain>

5. if you use DeploymentRoles mapping provider, add something like this to jboss-web.xml

<security-role>
                    <role-name>AdminRole</role-name>
                    <principal-name>admin</principal-name>
                    <principal-name>developer</principal-name>
          </security-role>

          <security-role>
                    <role-name>UserRole</role-name>
                    <principal-name>admin</principal-name>
                    <principal-name>developer</principal-name>
          </security-role>

          <security-role>
                    <role-name>DeploymentRole</role-name>
                    <principal-name>admin</principal-name>
                    <principal-name>developer</principal-name>
          </security-role>

Also, I did set the system properties java.security.krb5.kdc & java.security.krb5.realm. This isn't stricly necessary but for us (we have a large global AD network) i needed to point to a local server rather than jumping around the globe.

If you run into trouble, setting the system properties javax.net.debug & sun.security.krb5.debug were extremely helpful.
Actions