Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Kerberos & Java GSS (JGSS)

Kerberos Configuration Issues: Server prompts for password

I'm trying to write a Java Servlet Filter to perform kerberos through Spnego. I'm working with a windows 2003 Server (Enterprise Edition) but I keep getting prompted for the password. This obviously won't do for a server program so I'm trying to figure out a way around entering the password each time the program starts up.

Here's my (simplified) code:

GSSManager m_manager = GSSManager.getInstance();

Oid l_spnegoOid =new Oid("1.3.6.1.5.5.2");

m_serverCreds = m_manager.createCredential(null,

GSSCredential.DEFAULT_LIFETIME, l_spnegoOid,GSSCredential.ACCEPT_ONLY);

I'm calling java with these arguments:

-Djava.security.auth.login.config=C:\spnegoLogin.conf

-Dsun.security.krb5.debug=true

-Djavax.security.auth.useSubjectCredsOnly=false

-Dsun.security.spnego.debug=true

My conf file looks like this:

com.sun.security.jgss.accept{

com.sun.security.auth.module.Krb5LoginModule required

principal="HTTP/files.xythosps.com"

keyTab="C:\test.keytab"

ticketCache="C:\Documents and Settings\files\krb5cc_files"

useTicketCache=true

useKeyTab=true

storeKey=true;

};

the debug output looks like this. Notice the second line where I'm prompted for the password:

Config name: C:\WINDOWS\krb5.ini

Kerberos passwordfor HTTP/files.xythosps.com:

default etypesfor default_tkt_enctypes: 1.

default etypesfor default_tkt_enctypes: 1.

>>> KrbAsReq calling createMessage

>>> KrbAsReq in createMessage

>>> KrbKdcReq send: kdc=xythosps.com UDP:88, timeout=30000, number of retries =3, #bytes=155

>>> KDCCommunication: kdc=xythosps.com UDP:88, timeout=30000,Attempt =1, #bytes=155

>>> KrbKdcReq send: #bytes read=635

>>> KrbKdcReq send: #bytes read=635

>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType

>>>crc32: 1ca9f464

>>>crc32: 11100101010011111010001100100

>>> KrbAsRep cons in KrbAsReq.getReply HTTP/files.xythosps.com

default etypesfor default_tkt_enctypes: 1.

Found keyfor HTTP/files.xythosps.com@XYTHOSPS.COM(1)

And I created my principal and keytab like so:

C:\Program Files\Support Tools>setspn.exe -A HTTP/files.xythosps.com@XYTHOSPS.COM files

Registering ServicePrincipalNamesfor CN=files,CN=Users,DC=xythosps,DC=com

HTTP/files.xythosps.com@XYTHOSPS.COM

Updated object

C:\Program Files\Support Tools>setspn.exe -L files

Registered ServicePrincipalNamesfor CN=files,CN=Users,DC=xythosps,DC=com:

HTTP/files.xythosps.com@XYTHOSPS.COM

C:\Program Files\Support Tools>ktpass.exe -princ HTTP/files.xythosps.com@XYTHOSPS.COM -pass welcome -mapuser files

-out C:\test.keytab -crypto DES-CBC-CRC

Targeting domain controller: ssoserver.xythosps.com

Using legacy password setting method

Successfully mapped HTTP/files.xythosps.com to files.

WARNING: pType and account typedo not match. This might cause problems.

Key created.

Output keytab to C:\test.keytab:

Keytab version: 0x502

keysize 63 HTTP/files.xythosps.com@XYTHOSPS.COM ptype 0 (KRB5_NT_UNKNOWN) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x9d67c243ad029246)

C:\Program Files\Java\jdk1.6.0\bin>kinit.exe -k -t C:\test.keytab HTTP/files.xythosps.com@XYTHOSPS.COM

New ticket is stored in cache file C:\Documents and Settings\files\krb5cc_files

To make things simple I'm running this as the actual user the Service Principal is associated with.

[4415 byte] By [Tom_Sciora] at [2007-11-26 18:38:14]
«« Failure to retrive Channel
»» file open in java
# 1
Just to be clear, I'm familiar with the "doNotPrompt" option. If I enable it, I just get an authentication error "Couldn't find any Kerberos Key".
Tom_Sciora at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 2

Hi,

from the output of ktpass I see that the principal type is set to KRB5_NT_UNKNOWN. Try to give ktpass the additional switch

-ptype=KRB5_NT_PRINCIPAL

There might be a problem with the version number of the key, too. If you have installed "Keberos for Windows" use the kvno tool to find out the correct version number needed for your service principal.

You can also use the ktab tool (shipped with java) to see what principals are present in a keytab file.

Furthermore the use of 'useTicketCache' and the specification of a ticket cache is not necessary if you want to use a keytab.

How did you make java use c:\windows\krb5.ini? The default is c:\winnt\krb5.ini and you're not defining java.security.krb5.conf anywhere, are you?

Regards

sherazadea at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 3

I tried "-ptype=KRB5_NT_PRINCIPAL" but that didn't seem to change anything. Here's the version number stuff:

C:\Program Files\Java\jdk1.6.0\bin>ktab.exe -k C:\test.keytab -l

Keytab name: C:\test.keytab

KVNOPrincipal

13HTTP/files.xythosps.com@XYTHOSPS.COM

I think maybe I'm not understanding you correctly. How do I use kvno.exe to discover which version number I need? I figured it's supposed to be used like this, but I'm not sure:

C:\Program Files\MIT\Kerberos\bin>kvno.exe -c "C:\Documents and Settings\files\krb5cc_files" HTTP/files.xythosps.com

HTTP/files.xythosps.com@XYTHOSPS.COM: kvno = 13

Tom_Sciora at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 4
Oh, as for the c:\windows\krb5.ini, I'm running Windows Server 2003. It doesn't have a a C:\winnt. Everything gets installed under C:\windows.
Tom_Sciora at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 5

Just to get this right,

'files' is the logon name of the service account you created in your active directory, isn't it?! And did you set the following properties for the account?

- User cannot change password

- Password never expires

- Account is trusted for delegation

- Account is sensitive and cannot be delegated

I'm wondering that ktpass does not complain about the user name since I thought one has to specify the user name in the form

<logon-name>@<REALM>

for the mapuser flag.

Furthermore I think specifying the service principal name in the JAAS login configuration in the form

<service-name>/<fully-qualified-host-name>@<REALM>

is necessary to get thinks working correctly.

krb5.ini:

Even if there is no c:\winnt directory by default , which - I think - is the case for all windows versions > WinNT4.1, this is the place Java looks for the configuration by default (see http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html). Thus placing the krb5.ini under c:\windows and not specifying the java.security.krb5.conf property anywhere should not work.

kvno:

To get the proper kvno for your service principal you have to kinit to your realm with your normal user account and then simply execute kvno giving it the principal name of the service:

C:\> kinit tom_scior@XYTHOSPS.COM

Password for tom_scior@XYTHOSPS.COM:

C:\> kvno HTTP/files.xythosps.com@XYTHOSPS.COM

Again storing the credentials of your service in a cache is not necessary and might cause problems. That is your JAAS login config file should look like:

kerberizedService {

com.sun.security.auth.module.Krb5LoginModule required

debug=false

storeKey=true

noPrompt=true

useKeyTab=true

keytab=c:/path-to/service.keytab

principal="<service-name>/<service-host-name>@<REALM>";

};

Regards

sherazadea at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 6
Furthermore I hope you're executing your posted code in a PrivilegedAction that is executed by a previously authenticated subject?! Perhaps posting some more of your code might help...Cheers
sherazadea at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 7

I'm running Java 6 which does support C:\windows\krb5.ini.

Also, when I ran "debug=false" it revealed the problem:

keyTab="C:\test.keytab"

doesn't work. The slash needs to be escaped.

keyTab="C:\\test.keytab"

I assumed java would complain about it but it doesn't unless the debug flag is on. The system now works correctly. Thanks for the help.

Tom_Sciora at 2007-7-9 6:12:18 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
Security
Kerberos & Java GSS (JGSS)

Security New Topic

Security Hot Topic

Security

All Classified