0 Replies Latest reply on Nov 4, 2015 8:31 AM by shyam agrawal

    Configure Kerberos for JBOSS EAP 6.4

    shyam agrawal Newbie

      Hi,

      I am getting Error while hitting URL of jboss server.

       

      18:59:55,212 INFO  [stdout] (http-/127.0.0.1:8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is F:\Tools\Jboss-EAP\standalone\configuration\kerbores.keytab refreshKrb5Config is false principal is HTTP/kerbores@myRealm tryFirstPass is false useFirstPass is false storePass is false clearPass is false

      18:59:55,296 INFO  [stdout] (http-/127.0.0.1:8080-1)            [Krb5LoginModule] authentication failed

      18:59:55,296 INFO  [stdout] (http-/127.0.0.1:8080-1) Client not found in Kerberos database (6)

       

      I followed all the steps mentions in below URL.

      https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html/Security_Guide/Configure_Kerberos_or_Microsoft_Active_Directory_Desktop_SSO_for_Web_Applications.html

       

      My krbf.ini is placed in C:\Windows\krb5.ini which contains all the information related to realms and domain.

      I am able to run kinit command and new ticket is getting generated.

      "New ticket is stored in cache file C:\Users\shyagrawal\krb5cc_shyagrawal"

       

      I modified standalone.bat file as mentioned in URL.

      <security-domain name="host" cache-type="default">

                          <authentication>

                              <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

                                  <module-option name="storeKey" value="true"/>

                                  <module-option name="useKeyTab" value="true"/>

                                  <module-option name="principal" value="HTTP/kerbores@MyRealm"/>

                                  <module-option name="keyTab" value="F:\Tools\Jboss-EAP\standalone\configuration\kerbores.keytab"/>

                                  <module-option name="doNotPrompt" value="true"/>

                                  <module-option name="debug" value="true"/>

                              </login-module>

                          </authentication>

                      </security-domain>

                      <security-domain name="SPNEGO" cache-type="default">

                          <authentication>

                              <login-module code="SPNEGO" flag="requisite">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="serverSecurityDomain" value="host"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      Added code in web.xml file.

      Web.xml

      <security-constraint>

              <display-name>require valid user</display-name>

              <web-resource-collection>

                  <web-resource-name>Kerberos Application</web-resource-name>           

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>*</role-name>

              </auth-constraint>

              <!-- <user-data-constraint>

              <transport-guarantee>NONE</transport-guarantee>

            </user-data-constraint> -->

          </security-constraint>

          <security-role> 

              <description>security role</description>

              <role-name>*</role-name>

          </security-role>

       

      jboss-web.xml

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

          <security-domain>SPNEGO</security-domain>

          <valve>

          <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>

          </valve>

          <jacc-star-role-allow>true</jacc-star-role-allow>

          <context-root>kerberoes</context-root>

      </jboss-web>

       

      Please let me know if I missed anything in above steps.

       

      Thanks,

      Shyam Agrawal