1

Team, I have a question on Single Sign On using Kerberos Authentication.

We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf . We are facing the an error saying that "Cannot get credential for principal service HTTP/server1.SW.MAIL.COM@SW.MAIL.COM". Can someone help me in resolving the issue..?

Please post a comment if any additional information is required..

When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.

When I ran the command klist as per your input, I got the output as below

"Key table: /etc/krb5/pocsso.keytab

Number of entries: 1

[1.] principal: HTTP/server1.sw.mail.com@POC.MAIL.COM KVNO: 12 "

UPDATE .

Ticket cache: FILE:/tmp/krb5cc_38698 Default principal: pocsso1@POC.MAIL.COM Valid starting Expires Service principal 01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM@POC.MAIL.COM renew until 08/09/2014 16:15

Chilukuri
  • 27
  • 2
  • 8
  • How did you created keytab? Check if your host name is not server1.sw.mail.com (lower case). In general you probably have mismatch between server name and SPN in the keytab. – Gas Jul 03 '14 at 11:27
  • Host name is same. Why it is trying to get the principal for SW.MAIL.COM instead of POC.MAIL.COM – Chilukuri Jul 03 '14 at 14:06
  • Because either you generated wrong keytab/SPN or you created wrong config in WAS. Your keytab should be generated to HTTP/server1.SW.MAIL.COM@POC.MAIL.COM and in your WAS SPNEGO configu you should have server name as server1.SW.MAIL.COM and realm POC.MAIL.COM – Gas Jul 03 '14 at 14:38
  • How are you invoking kinit? – Gas Jul 14 '14 at 21:00
  • I wrote you to create new keytab as the old one was wrong. Did you do it? What was the result? Attach to your question command line how you are creating keytab and contents of krb5.conf file. – Gas Jul 17 '14 at 19:15
  • Keytab generation looks fine, except you are missing crypto parameter, which if you want AES256 should be -crypto AES256-SHA1. Are you still getting "Cannot get credential for principal service HTTP/server1.SW.MAIL.COM@SW.MAIL.COM" error? Your conf file have wrong keytab filename (uppercase extension). – Gas Jul 21 '14 at 15:04
  • You can also enable tracing com.ibm.ws.security.spnego.*=all to get some more details. – Gas Jul 21 '14 at 15:09
  • when i use AES256-SHA1, it is giving error " No supported encryption types (config file error?) while getting initial credentials" – Chilukuri Jul 23 '14 at 12:42
  • When do you have this error? Run command '/java/bin/java com.ibm.security.krb5.internal.tools.Klist –k ' and provide output, but please edit your question and put it there, not as comments, as it is not readable here. – Gas Jul 24 '14 at 13:12

2 Answers2

1

Specify it only on the Global security > SPNEGO web authentication, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).

UPDATE
In the filter definition you should have:

Host name: server1.sw.mail.com  
Kerberos realm name:  POC.MAIL.COM  
Filter criteria: yourFilterCriteria
Trim Kerberos realm from principal name - checked

See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console

Minimal configuration in web.xml for Java EE security. And you have to have Application Security enabled in the server configuration, and mapped userRole to some users/groups from registry.

<security-constraint>
        <display-name>constraint</display-name>
        <web-resource-collection>
            <web-resource-name>all resources</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>userRole</role-name>
        </auth-constraint>
    </security-constraint>
Gas
  • 17,601
  • 4
  • 46
  • 93
  • Depends on the application or something else if you need. You have details on the page that I've attached in answer. I usually use: `request-url%=yourContextRoot;request-url!=noSPNEGO`, which means - use SPNEGO for all uris that contains yourContextRoot AND not contain noSPNEGO. It allows me to access application bypassing SPNEGO if I need by providing &noSPNEGO to the url. – Gas Jul 30 '14 at 10:52
  • Even with SPNEGO also, i am getting the same error. – Chilukuri Jul 31 '14 at 10:55
  • What is your error exactly? Are there any exceptions/messages in the SystemOut.log related to it? – Gas Jul 31 '14 at 11:07
  • It still points to the wrong realm should be POC.MAIL.COM, so you have somewhere problem in the configuration. – Gas Jul 31 '14 at 11:20
  • You have seen krb5.conf and the way of creating keytab file. Where else the problem could be..? Am I missing any thing.? – Chilukuri Jul 31 '14 at 11:43
  • The filter parameters are given correctly. I have given the context root as the filter criteria. But Why it is trying to get principal for HTTP/server1.sw.mail.com@SW.MAIL.COM instead of POC.MAIL.COM..??? :( – Chilukuri Jul 31 '14 at 13:18
  • Do you have any other keytab files? Or wrong realm, and keytab defined on the Kerberos configuration page? Is the keytab path in the krb5.conf file correct? – Gas Jul 31 '14 at 13:41
  • Post somewhere screenshots of the following pages from your WebSphere admin console: 1)Kerberos Authentication Mechanism page 2)SPNEGO web authentication 3) Filter definition – Gas Jul 31 '14 at 16:43
  • Cleared that error.. Actually I am trying to implement Single Sign On (i.e. when users log on to Windows desktop machine and if they try to open our web application, they should be able to see the application directly with out need of entering login credentials.) Following the document as mentioned in my main post, the authentication mechanism is getting applied to WAS Admin console. How to achieve my requirement.? – Chilukuri Aug 06 '14 at 09:47
  • I'm sorry I dont understand your comment. Do you want to protect admin console or your app or any app? All that has already been told - you do that by defining filter criteria which defines, what applications to intercept. – Gas Aug 06 '14 at 18:46
  • I need to implement SSO for my application. Following the document the authentication has been applied to WAS Admin console. What I am supposed to do to get SSO for my Application..??? Please suggest me how to proceed.. – Chilukuri Aug 07 '14 at 10:35
  • Any help.? Please put a comment if some other information is required. – Chilukuri Aug 08 '14 at 10:59
  • You have all information in this thread, just reread them carefully. – Gas Aug 08 '14 at 11:12
  • If you correctly configure filter criteria to include your application then it will use SPNEGO authenication. Otherwise it will use mechanism configured by application. To debug security problems you can use following trace string: com.ibm.ws.security.*=all or just for spnego - com.ibm.ws.security.spnego.*=all. – Gas Aug 13 '14 at 21:47
  • You don't need to change anything in web.xml. It is not related. – Gas Aug 25 '14 at 13:57
  • Did you have to login to your application before you configured SSO? You always start with plain authentication, then you configure sso. If you were never asked about credentials SSO (if application is not protected) credentials want be asked. I've added sample web.xml config. – Gas Aug 28 '14 at 09:36
  • Yes Gas, We do have a login module which is not configured in web.xml. Do you want me to change this web.xml and test the SSO? – Chilukuri Aug 28 '14 at 12:51
  • LoginModule is from JAAS and has nothing to do with web.xml. You need `` element in web.xml. If dont have any you need to add. – Gas Aug 28 '14 at 13:10
  • Thank you very much Gas, Will do that and get back with update.. Once again Thank u very much – Chilukuri Aug 28 '14 at 13:24
  • I am getting this error in the SystemOut.log.. Assist me on How to solve this.??? Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Mon Aug 25 14:54:00 CEST 2014, current Date: Mon Sep 01 15:15:16 CEST 2014. – Chilukuri Sep 01 '14 at 14:36
  • Restart browser or clear LTPA cookies, they are expired and thats why you have this error. – Gas Sep 01 '14 at 15:57
  • I have restarted the browser. If we don't restart the browser, what would be the impact.? – Chilukuri Sep 01 '14 at 16:38
  • Thank you very very much for your help Gas, I am a step behind SSO. I have one doubt w.r.to KLIST command. i.e. When I execute the command **klist**, I am getting the following output as mentioned in the Question update. What does the expired and renewal date indicate over there.? – Chilukuri Sep 01 '14 at 16:41
  • I'd suggest to create separate questions for your new issues as this thread has been already too long. – Gas Sep 01 '14 at 19:22
  • Please go through the link Gas.. http://stackoverflow.com/questions/25627037/klist-command-usage-related-to-single-sign-on-for-was-7-application – Chilukuri Sep 02 '14 at 15:29
  • I am able to use SSO for the application with url "http://poc.mail.com". But when I try to access "http://poc.mail.com/index.jsp", it is not asking for credentials. What might be the reason.? @Gas – Chilukuri Sep 06 '14 at 07:00
  • @Chilukuri This is the SSO behavior, that you are not asked for credentials, and are automatically logged with current user credentials. What would you expect? – Gas Sep 08 '14 at 14:25
  • For some url, SSO should not work. To get that, how we need to frame the url.? – Chilukuri Sep 09 '14 at 03:00
  • 1
    @Chilukuri You need to provide filter criteria - http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/tsec_SPNEGO_config.html?cp=SSAW57_8.0.0%2F1-3-0-20-2-0&lang=en – Gas Sep 09 '14 at 08:40
  • If I specify request-url!=noSPNEGO, how should I write the url in order to not to use SPNEGO.. – Chilukuri Sep 09 '14 at 10:17
  • My requirement is not to make sso to work for one URL. Please suggest me what I can do in such cases. i.e. SPNEGO filter change and URL change.. – Chilukuri Sep 09 '14 at 12:35
  • No, it is not working. `NTLM token not received` means that SPNEGO is trying to work, but it receives wrong token Check infocenter for potential reasons http://www-01.ibm.com/support/knowledgecenter/api/content/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rsec_SPNEGO_troubles.html?locale=en&ro=kcUI#rsec_SPNEGO_troubles__sserror. And when you added ?noSPNEGO, it bypassed SPNEGO and used default authentication mechanism. – Gas Sep 09 '14 at 14:29
  • When I added ?noSPNEGO like http://poc.mail.com/ssotest/?noSPNEGO, it is giving a popup asking the credentials, by which we can consider SSO is working.. – Chilukuri Sep 09 '14 at 14:33
  • @Chilukuri I suggest you to contact IBM sales representative and engage IBM Software Services to configure it for you. – Gas Sep 09 '14 at 16:49
1

A bit of a late answer.

Regenerate the keytab file by running the ktpass command as:

ktpass -out file.keytab -princ HTTP/server1.SW.MAIL.COM@POC.MAIL.COM -mapuser your-user -pass your-pwd -ptype KRB5_NT_PRINCIPAL

Solving the error: 

org.ietf.jgss.GSSException, major code: 11, minor code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Cannot get credential for principal HTTP/appserver.example.com@EXAMPLE.COM

boils downs to the following rules when generating the keytab file:

  • The principal service must follow the format

<service name>/<fully qualified hostname>@KerberosRealm

  • Double check the spelling of the principal service
  • The service name must be all upper case, that is HTTP and not http
  • The Kerberos realm must also be all upper case, and
  • The host name must be found in the /etc/host file or the DNS server.

Sources:

Pablo Carbajal
  • 103
  • 5