kerberos / spnego

miten mehta imiten at yahoo.com
Tue Oct 9 01:18:22 EDT 2012


Hi Booker,

I am using Internet Explorer 9 and assume it should be configured already for spnego.  The webapp as such has to do some auth prompting so I guess it starts out dong jaas based basic auth.  I am just following pretty much the article at spring security and their samples.

http://blog.springsource.org/2009/09/28/spring-security-kerberos/

http://git.springsource.org/spring-security/se-security/trees/4f00f949bc13fd1588dda0053be35a55fd4fe93f/spring-security-kerberos/spring-security-kerberos-sample/src

I as such have kerberos working fine for ssh, rsh etc.


Regards,

Miten.



________________________________
 From: Booker Bense <bbense at gmail.com>
To: miten mehta <imiten at yahoo.com> 
Cc: "kerberos at mit.edu" <kerberos at mit.edu> 
Sent: Monday, October 8, 2012 7:44 PM
Subject: Re: kerberos / spnego
 
On Mon, Oct 8, 2012 at 5:21 AM, miten mehta <imiten at yahoo.com> wrote:
> Hi,
>
> I have attempted kerberos for SSO for web app using spring-security and have doubts.  would appreciate if one can take look at my post here and advise.
>
> http://forum.springsource.org/showthread.php?130775-spring-security-spnego-kerberos-sso&p=426585#post426585
>

If the software is really capable of doing SPENGO, you should never
need to enter your password into the web application. That's the whole
point.
Most browsers need some configuration tweaks to enable SPENGO, I think
only Explorer will do it out of the box. If the web app has
a valid keytab and support for SPENGO, it should never need to talk to the KDC.

It looks like what is really happening is that the software is
attempting to use some form of basic auth where it requests a
username/password
and uses kerberos to verify the password. The error message you are
seeing suggests that the kerberos library it's using doesn't have
proper
support for PRE-AUTH ( old version of Java?)

If you want support for kerberos in Java, you should be using at least
1.6. Most prior versions have very broken kerberos support.

If you're willing to live with username/pw on the web application,
then you'll likely have better luck using LDAP rather than kerberos.

- Booker C. Bense


More information about the Kerberos mailing list