Using Kerberos in a virtual machine
Jeremy Hunt
jeremyh at optimation.com.au
Thu Jul 12 22:44:24 EDT 2012
Hi Philroc,
If you have routing and firewalls set up to allow access to your virtual
machines from whatever client machines you have, then there is no reason
why a virtual machine cannot act as a server or a client. I have done
this in the past. Though not your specific example.
The instructions of your link say your service principal contains the
fully qualified domain name of your machine. So if your putative domain
name is MYCOMPANY.COM, and your server is called 'centos1', your service
principal is HTTP/centos1.mycompany.com at MYCOMPANY.COM. If your putative
domain name is CENTOS1.MYCOMPANY.COM, and your server is called 'alex',
your service principal is
HTTP/alex.centos1.mycompany.com at CENTOS1.MYCOMPANY.COM. If this does not
make sense you probably should read up on principal names in kerberos.
The fully qualified domain name is a URL pointing to your machine, that
is the name resolves to an IP address. You can achieve the URL being
resolved in a number of ways:
1. The simple way is to add entries to the 'hosts" files of your server
and client machines with a bogus fully qualified domain name as an alias
for your machine eg assuming centos1 is the name of your machine:
centos1.mycompany.com centos1 10.100.200.1
(or whatever your machine's IP address is. If you do not know what
an IP address is then read up on it).
You can do this in windows and unix. Note, you usually need the long
name as the first entry, and I think it is good practice to have the
short name as an alias.
2. Set up a DNS server that your clients and server can reference that
serves similar 'bogus' addresses to that above, and defer to a senior
DNS server to serve other addresses such as other company machines and
general web addresses. If you do not understand this paragraph refer
back to 1.
I hope that helps and gets you started.
Jeremy
phiroc at free.fr wrote:
> Hello,
>
> I am currently running a Spring application on Centos in a VirtualBox VM hosted on Windows 7 and am trying to implement Kerberos ActiveDirectory pre-authentication as in this example:
>
> http://blog.springsource.org/2009/09/28/spring-security-kerberos/
>
> I would like to create a Kerberos service principal, using a "virtual" full qualified domain name, eg
>
> HTTP/centos1.mycompany.com at centos1.mycompany.com
>
> By "virtual", I mean that the "centos1.mycompany.com" is not known by the company DNS or ActiveDirectory,
> because it only exists within the VM.
>
> I have the following questions:
>
> - can you use Kerberos to authenticate users connecting to a web application running in a virtual machine?
>
> - will the above service principal work, although the machine's hostname only exists within the VM?
>
> - is "centos1.mycompany.com" a good service principal, or do I need to create an SP such as
>
> "web.centos1.mycompany.com"?
>
> Many thanks.
>
> Best regards,
>
> Philroc
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list