-1

Please explain what, why and how of kerberos authentication. I am using spring 3+. Also please elaborate on how to implement it in my java spring project.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Lakshya
  • 129
  • 2
  • 2
  • 8
  • Try to research a little further, there is ton of documentation out there. Kerberos is kind of a wide subject too. You want to use Kerberos to authenticate what against what? – Claudio Apr 16 '15 at 12:45

2 Answers2

10

There's an official Kerberos extension for Spring Security: http://projects.spring.io/spring-security-kerberos/

First step is to configure Spring Security for your project. Try that with for example a temporary in-memory authentication configuration, with some hardcoded users - just to check that the rest of the configuration is O.K.

Then, proceed with adding a Kerberos authentication provider, configuring the Spnego configuration and etc (everything is described in the documentation).

Check out the example (uses Java-based configuration, but it's easy to translate that to XML config): https://github.com/spring-projects/spring-security-kerberos/blob/master/spring-security-kerberos-samples/

And the documentation: http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RC2/reference/htmlsingle/

Cœur
  • 37,241
  • 25
  • 195
  • 267
Martin Spa
  • 1,494
  • 1
  • 24
  • 44
  • 3
    that is the short and perfect answer. Superlike – Lakshya Apr 16 '15 at 15:53
  • Hi Martin Somehow my kerberos called. But Now I am getting Kerberos validation not successful. Caused by: GSSException :Failure unspecified at GSS-API level. Caused by: KrbException Specified version of key is not available. – Lakshya Apr 17 '15 at 09:13
  • Documentation (https://www.novell.com/support/kb/doc.php?id=7014802) says: "The error is caused by a difference in a key version number stored in Active directory for the service principal user and keytab. This is usually cased by reseting the service principal user password" And the suggestion is to regenerate the keytab file. After that probably just retry. – Martin Spa Apr 17 '15 at 12:42
  • Also check these two questions, may be helpful: http://stackoverflow.com/questions/12517134/badcredentialsexception-kerberos-validation-not-succesfull & http://stackoverflow.com/questions/2973355/defective-token-deteced-error-ntlm-not-kerberos-with-kerberos-spring-securit – Martin Spa Apr 17 '15 at 12:46
  • Hi martin I am getting GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) . Please suggest any work around. Do I need to generate keytab again ? – Lakshya Apr 20 '15 at 06:44
-1

I have tried to explain the what and how part of the Kerberos protocol in my blog at: Kerberos. Please feel free to checkout. A summary of the same is as follows:

Kerberos is s a trusted third-party authentication protocol designed for TCP/IP networks which is based on symmetric cryptography.

Kerberos provides encrypted transport and authentication using security tokens and secure session keys, in order to secure the communication between the client and the server.

The kerberos model basically consists of a kerberos server which authenticates the client and provides security tokens in order to interact with a ticket granting service or the TGS. The TGS then is responsible for authenticating this client for access to the actual server.

I have tried to describe it in a pictorial and step by step way in my blog.

Abhishek Jain
  • 4,478
  • 8
  • 34
  • 51