StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSpring Kerberos Extension, SSO and Machines Outside the Domain
primarykey
Id
4313662
data
AcceptedAnswerId
0
AnswerCount
2
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-11-30T12:19:58.110
FavoriteCount
3
LastActivityDate
2012-06-06T15:36:52.433
LastEditDate
2012-06-06T15:36:52.433
LastEditorUserId
384674
OwnerUserId
525096
ParentId
0
PostTypeId
1
Score
2
ViewCount
3272
LastEditorDisplayName
text
Body
I have been POC'ing with milestone 2 of the Kerberos extension to achieve single sign-on. Quick summary of my setup: KDC: Windows Server 2003 (SP2) Web server: Ubuntu 10.04, Tomcat 5.5, Java 1.6.0_22 (not on the domain) Spring: Framework 3.0.5, Security 3.0.4, Kerberos Extension 1.0.0 M2 I have setup my configuration to first attempt SPNEGO authentication and if it fails to then redirect to a login page. This is done by setting SpnegoAuthenticationProcessingFilter's "failureHandler" property. I have successfully tested this on Windows machines (XP and 7) that are in and out of the domain. The machines that are outside the domain gets redirected to the login page and then can successfully login. Here is my config: <pre class="lang-xml prettyprint-override"><code><?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http entry-point-ref="spnegoEntryPoint" auto-config="false"> <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> <custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> <form-login login-page="/login.html" default-target-url="/" always-use-default-target="true"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="kerberosServiceAuthenticationProvider" /> <authentication-provider ref="kerberosAuthenticationProvider"/> </authentication-manager> <beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" /> <beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter"> <beans:property name="failureHandler"> <beans:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.html" /> <beans:property name="allowSessionCreation" value="true"/> </beans:bean> </beans:property> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider"> <beans:property name="ticketValidator"> <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator"> <beans:property name="servicePrincipal" value="HTTP/mywebserver.corpza.corp.co.za"/> <beans:property name="keyTabLocation" value="classpath:mywebserver.keytab" /> <beans:property name="debug" value="true"/> </beans:bean> </beans:property> <beans:property name="userDetailsService" ref="dummyUserDetailsService" /> </beans:bean> <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider"> <beans:property name="kerberosClient"> <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient"> <beans:property name="debug" value="true" /> </beans:bean> </beans:property> <beans:property name="userDetailsService" ref="dummyUserDetailsService" /> </beans:bean> <beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig"> <beans:property name="debug" value="true" /> <beans:property name="krbConfLocation" value="/etc/krb5.conf" /> </beans:bean> <beans:bean id="dummyUserDetailsService" class="main.server.DummyUserDetailsService"/> </beans:beans> </code></pre> When the Windows machine is outside the domain my web server responds with the "WWW-Authenticate Negotiate" header (as per usual) to which the Windows machine responds to with a NTLM header ("Negotiate TlRM..."), where the SpnegoAuthenticationProcessingFilter then says "Negotiate Header was invalid..." and awesomly redirects the user to the login page. Great. The Issue: There are a number of Mac and Linux machines that are permanently outside the domain which would need to use this web app. When they hit the web app (with Firefox 3.6) my web server responds with the expected "WWW-Authenticate Negotiate" header to inform the client that the web app is Kerberized, BUT neither the Mac or Linux machines responds at all. Thus the SpnegoAuthenticationProcessingFilter doesn't get entered again and hence no failure and subsequently no redirection to the login page takes place. The Question: Why doesn't the Mac and Linux machines respond in the same way as the Windows machines (can't belive I just asked that...)? I know that when the Mac and Linux machines obtain a ticket (via kinit) they are able to authenticated but this doesn't seem like a good solution at all as it requires effort from the user to provide credentials etc. where the tickets expires as well. So is there any way that we can get these machines to send back a NTLM header as the Windows machines does? Or if there are any other suggestions/ways please let me know. B.t.w. I did configure the Firefoxes that I used on to test on the Mac and Linux machines ("network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris" was set to ".corpza.corp.co.za").
Tags
<linux><spring-security><kerberos><single-sign-on>
Title
Spring Kerberos Extension, SSO and Machines Outside the Domain
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USBetlista
UserOwnerUserId
1. USMarkus Coetzee
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POSpring Kerberos Extension, SSO and Machines Outside the Domain
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POSpring Kerberos Extension, SSO and Machines Outside the Domain
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POSpring Kerberos Extension, SSO and Machines Outside the Domain
 UserUserId
 UStvirtualw
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.