spring-security-kerberos can't read keytab?

spring-security kerberos spnego
Arthur Ulfeldt picture Arthur Ulfeldt · May 26, 2011 · Viewed 10k times · Source

I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it:

ktutil:  rkt http-web.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/[email protected]

This keytab was generated on a the win 2k8 domain controller with this command:

ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass *

which was coppied over the the test web server used in spnego.xml:

<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
  <property name="servicePrincipal" value="HTTP/[email protected]" />
  <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
  <property name="debug" value="true" />
</bean>

but fails to find the principal:

Key for the principal HTTP/[email protected] not available in 
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
            [Krb5LoginModule] authentication failed 
Unable to obtain password from user

I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.

ps checked it out from git this morning.

Answer

Art Licis picture Art Licis · Sep 4, 2012

There're several mistakes that lead to "Unable to obtain password from user":

  1. incorrectly specified localtion of keytab file (just like @jasop pointed out); it should be something like classpath:http-web.keytab or file:c:/http-web.keytabl
  2. incorrectly specified principal name (i.e., principal name that doesn't match the actual one, for which keytab file was generated)
  3. white spaces in a keytab file path (note sure if this has ever been fixed),- saw complaints in comments on SPRING SECURITY KERBEROS/SPNEGO EXTENSION SpringSource blog entry, and received evidence on my dev environment - Windows 7 / Java 6,- the absolute path must be considered at all times (even if keytab referenced by classpath with no spaces)

Related questions

Spring Security Single Sign On in Windows Environment

I have a feeling I've stumbled into a technical black hole. There have been many questions and not many (recent) answers out there. Short summary: I have a Windows environment operating with a domain controller and Active Directory implementation (soon …

Read More
BadCredentialsException: Kerberos validation not succesfull

I would like to perform authentification with SPNEGO. I use: spring-core-3.1.0.RELEASE.jar spring-security-core-3.1.0.RELEASE.jar spring-security-kerberos-core-1.0.0.M2.jar package codec from spring core security 3.0.7 (https://jira.springsource.org/browse/SES-98) tomcat My Config file looks like the following. When …

Read More
spring security using kerberos/spnego authentication

I have got spring security using kerberos authentication successfully working. But it seems the spring framework is invoking KerberosServiceAuthenticationProvider.userDetailsService to get the roles, I would have thought that it gets the roles only once until the session is invalidated. …

Read More