Databases
StackOverflow2013
Postsdbo
POJava SSO: Kerberos authentication against Active Directory
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POJava SSO: Kerberos authentication against Active Directory
    text
    copied!<p>I'm still trying to find a Java based solution for SSO (running on *nix), which I can use on JBoss to authorize against an Active Directory/domain controller. I initially tried to do this via NTLM, but gave up because it will be not supported on Windows Server >= 2008.</p> <p>Therefore I'm trying to implement this using Kerberos, but it seems impossible to find a correct/working solution. Please point me in the right direction explaining how to set up such a configuration, how to validate against the Active Directory and/or domain controller in order to:</p> <ol> <li>find out if the account is valid and</li> <li>fetch the group list of the user</li> </ol> <p>Any help is appreciated!</p> <hr> <p><strong>UPDATE</strong></p> <p>I'm working on a solution using jcifs-ext-0.9.4 and jcifs-krb5-1.3.12. I set up the web.xml as described below:</p> <pre class="lang-xml prettyprint-override"><code>&lt;web-app&gt; &lt;!-- servlet / servlet-mapping / welcome-file-list skipped --&gt; &lt;filter&gt; &lt;filter-name&gt;auth&lt;/filter-name&gt; &lt;filter-class&gt;jcifs.http.AuthenticationFilter&lt;/filter-class&gt; &lt;init-param&gt; &lt;param-name&gt;java.security.auth.login.config&lt;/param-name&gt; &lt;param-value&gt;/WEB-INF/login.conf&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;jcifs.spnego.servicePrincipal&lt;/param-name&gt; &lt;param-value&gt;HTTP/testconn@mydomain.com&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;jcifs.spnego.servicePassword&lt;/param-name&gt; &lt;param-value&gt;supersecret&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;sun.security.krb5.debug&lt;/param-name&gt; &lt;param-value&gt;true&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;java.security.krb5.realm&lt;/param-name&gt; &lt;param-value&gt;mydomain.com&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;java.security.krb5.kdc&lt;/param-name&gt; &lt;param-value&gt;testdom01.mydomain.com &lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;jcifs.smb.client.domain&lt;/param-name&gt; &lt;param-value&gt;TESTDOMAIN&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;jcifs.http.enableNegotiate&lt;/param-name&gt; &lt;param-value&gt;true&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;jcifs.http.basicRealm&lt;/param-name&gt; &lt;param-value&gt;mydomain.com&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;jcifs.http.domainController&lt;/param-name&gt; &lt;param-value&gt;testdom01.mydomain.com&lt;/param-value&gt; &lt;/init-param&gt; &lt;/filter&gt; &lt;filter-mapping&gt; &lt;filter-name&gt;auth&lt;/filter-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; &lt;/filter-mapping&gt; &lt;/web-app&gt; </code></pre> <p>This leads to the following stacktrace if trying to access the app:</p> <pre class="lang-none prettyprint-override"><code>2010-07-22 15:53:10,588 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/google].[default]] Servlet.service() for servlet default threw exception java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(Native Method) at jcifs.ntlmssp.Type2Message.toByteArray(Type2Message.java:261) at jcifs.spnego.Authentication.processNtlm(Authentication.java:265) at jcifs.spnego.Authentication.process(Authentication.java:233) at jcifs.http.Negotiate.authenticate(Negotiate.java:46) at jcifs.http.AuthenticationFilter.doFilter(AuthenticationFilter.java:192) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) at java.lang.Thread.run(Thread.java:619) </code></pre> <p>Any help is appreciated.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload