Using Kerberos in a virtual machine

Jeremy Hunt jeremyh at optimation.com.au
Thu Jul 12 22:44:24 EDT 2012


Hi Philroc,

If you have routing and firewalls set up to allow access to your virtual 
machines from whatever client machines you have, then there is no reason 
why a virtual machine cannot act as a server or a client. I have done 
this in the past. Though not your specific example.

The instructions of your link say your service principal contains the 
fully qualified domain name of your machine. So if your putative domain 
name is MYCOMPANY.COM, and your server is called 'centos1', your service 
principal is HTTP/centos1.mycompany.com at MYCOMPANY.COM. If your putative 
domain name is CENTOS1.MYCOMPANY.COM, and your server is called 'alex', 
your service principal is 
HTTP/alex.centos1.mycompany.com at CENTOS1.MYCOMPANY.COM. If this does not 
make sense you probably should read up on principal names in kerberos.

The fully qualified domain name is a URL pointing to your machine, that 
is the name resolves to an IP address. You can achieve the URL being 
resolved in a number of ways:
1. The simple way is to add entries to the 'hosts" files of your server 
and client machines with a bogus fully qualified domain name as an alias 
for your machine eg assuming centos1 is the name of your machine:
     centos1.mycompany.com centos1 10.100.200.1
    (or whatever your machine's IP address is. If you do not know what 
an IP address is then read up on it).
You can do this in windows and unix. Note, you usually need the long 
name as the first entry, and I think it is good practice to have the 
short name as an alias.
2. Set up a DNS server that your clients and server can reference that 
serves similar 'bogus' addresses to that above, and defer to a senior 
DNS server to serve other addresses such as other company machines and 
general web addresses. If you do not understand this paragraph refer 
back to 1.

I hope that helps and gets you started.

Jeremy

phiroc at free.fr wrote:
> Hello,
>
> I am currently running a Spring application on Centos in a VirtualBox VM hosted on Windows 7 and am trying to implement Kerberos ActiveDirectory pre-authentication as in this example:
>
> http://blog.springsource.org/2009/09/28/spring-security-kerberos/
>
> I would like to create a Kerberos service principal, using a "virtual" full qualified domain name, eg
>
> HTTP/centos1.mycompany.com at centos1.mycompany.com
>
> By "virtual", I mean that the "centos1.mycompany.com" is not known by the company DNS or ActiveDirectory,
> because it only exists within the VM.
>
> I have the following questions:
>
> - can you use Kerberos to authenticate users connecting to a web application running in a virtual machine?
>
> - will the above service principal work, although the machine's hostname only exists within the VM?
>
> - is "centos1.mycompany.com" a good service principal, or do I need to create an SP such as
>
> "web.centos1.mycompany.com"?
>
> Many thanks.
>
> Best regards,
>
> Philroc
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list