Using Kerberos in a virtual machine

Douglas E. Engert deengert at anl.gov
Thu Jul 12 12:32:11 EDT 2012 

[Yes, there are people on this list...]

On 7/11/2012 3:50 AM, phiroc at free.fr wrote:
> Hello,
>
> I am currently running a Spring application on Centos in a VirtualBox VM hosted on Windows 7 and am trying to implement Kerberos ActiveDirectory pre-authentication as in this example:
>
> http://blog.springsource.org/2009/09/28/spring-security-kerberos/
>
> I would like to create a Kerberos service principal, using a "virtual" full qualified domain name, eg
>
> HTTP/centos1.mycompany.com at centos1.mycompany.com
>
> By "virtual", I mean that the "centos1.mycompany.com" is not known by the company DNS or ActiveDirectory,
> because it only exists within the VM.

But you refer to the realm of centos1.mycompany.com in the principal too, and I assume
what you want to do is use your existing AD as the KDC, and get your AD admins to add
the principal to AD. Thus you have to use the AD domain name (in upper case) in the
principal.

>
> I have the following questions:
>
> - can you use Kerberos to authenticate users connecting to a web application running in a virtual machine?

  Yes.

>
> - will the above service principal work, although the machine's hostname only exists within the VM?

Well, both the client and the server have to agree on the principal name, and DNS is usually used,
but /etc/hosts on both sides can also be used to do the mapping. Since you are using HTTP, the
browser has to be able to map the hostname from a URL to an IP and use the hostname in a principal,
and the web server has to be runninp at that IP, and has to know that the it is running as the hostname.

The KDC really does not care what host name you used, as long as the principal is unique.
within the realm.

>
> - is "centos1.mycompany.com" a good service principal, or do I need to create an SP such as

I would say no, as someone else might use the same name on their VM.  You don't have
to use your company name here either.

>
> "web.centos1.mycompany.com"?

Keep it unique if possible, as you may want to add it to DNS. Better still add it to DNS
now, it might be easier in the long run.

>
> Many thanks.
>
> Best regards,
>
> Philroc
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list