kerberos / spnego
Booker Bense
bbense at gmail.com
Mon Oct 8 10:14:38 EDT 2012
On Mon, Oct 8, 2012 at 5:21 AM, miten mehta <imiten at yahoo.com> wrote:
> Hi,
>
> I have attempted kerberos for SSO for web app using spring-security and have doubts. would appreciate if one can take look at my post here and advise.
>
> http://forum.springsource.org/showthread.php?130775-spring-security-spnego-kerberos-sso&p=426585#post426585
>
If the software is really capable of doing SPENGO, you should never
need to enter your password into the web application. That's the whole
point.
Most browsers need some configuration tweaks to enable SPENGO, I think
only Explorer will do it out of the box. If the web app has
a valid keytab and support for SPENGO, it should never need to talk to the KDC.
It looks like what is really happening is that the software is
attempting to use some form of basic auth where it requests a
username/password
and uses kerberos to verify the password. The error message you are
seeing suggests that the kerberos library it's using doesn't have
proper
support for PRE-AUTH ( old version of Java?)
If you want support for kerberos in Java, you should be using at least
1.6. Most prior versions have very broken kerberos support.
If you're willing to live with username/pw on the web application,
then you'll likely have better luck using LDAP rather than kerberos.
- Booker C. Bense
More information about the Kerberos
mailing list