1 Reply Latest reply on Dec 16, 2008 2:54 AM by Guofeng Zhang

    SPNEGO/Kerberos authentication succeeds, why?

    Guofeng Zhang Novice

      I met a strange case. I can not interpret it. Could someone please tell me what cause it. Thanks in advance.

      I develop a web application using SPNEGO/Kerberos (Java GSS) to do SSO. JDK 1.6 update 16, JBoss 4.0.4.GA, Windows 2003 Server network.

      The following is what I have done in a domain, for example, domaina.com:
      (1)I create a SPN and the keytab file, and copy the keytab to the iVIEW server machine.
      (2) I configure the krb5.conf file to use this keytab file, and configur Sun's Krb5LoginModule in login-config.xml. I run my web server on the computer in this domain.
      (3) On another machine in this domain, I use IE 6 to access my web application. Everything works as expected, the user's principal name is displayed correctly.

      The strange case is when I try to access my application server on another domain:
      (1)To let IE send the SPNEGO token to my application, I create a SPN in this domain for that web application server, and add an entry in this domain's DNS server so that the hostname referenced in this SPN is resolved to the IP address of my applicatin server mainchine in domaina.com.
      (2)I did not change any configuration on my application server machine.
      (3)Then I use IE on a machine in this doman to access my application server. It is surprised that the authentication passed. The user principal name is displayed correctly. It is the name of the user log on this machine.

      I think that the AP_REQ message from IE to my application server is encrypted. In last test, the message should not be decrpted by my applicaton server.

      Does anyone meet the similiar case, could anyone please tell me where I did it incorrectly?

      Thanks!.

      the following are the configuration files:

      login module configuration:

      <application-policy name = "com.sun.security.jgss.krb5.accept">
       <authentication>
       <login-module code = "com.sun.security.auth.module.Krb5LoginModule"
       flag = "required ">
       <module-option name = "useKeyTab">true</module-option>
       <module-option name = "storeKey">true</module-option>
       <module-option name = "doNotPrompt">true</module-option>
       <module-option name = "principal">HTTP/myapp.domaina.com@DOMAINA.COM</module-option>
       </login-module>
       </authentication>
       </application-policy>
      

      krb5.conf
      [libdefaults]
       default_keytab_name = D:/jboss-4.0.4.GA/bin/app.keytab
       default_realm = DOMAINA.COM
       default_tkt_enctypes = rc4-hmac
       default_tgs_enctypes = rc4-hmac
       kdc_timesync = 0
       kdc_default_options = 0x40000010
       clockskew = 300
       check_delegate = 0
       ccache_type = 3
       kdc_timeout = 60000
      [realms]
       DOMAINA.COM = {
       kdc = 192.168.227.39:88
       }
      
      
      [domain_realm]
       .domaina.com = DOMAINA.COM