8

We try to make Windows authentication using spring security.

When we saw that we cannot authenticate our domain user with our keytab file created for our local pc, we checked our service user and see that it's password is valid. Then we checked whether we can reach from local to AD-domain. No request reached from our local as we controlled with network monitoring tool on AD-domain server machine. We also checked that outgoing traffic from our client with the command below;

netstat -oan 1 | find /I "[IP_ADDRESS_OF_AD_DOMAIN]"

We could reach to that IP from our local, tested with telnet.

Our application.properties is like below;

app.ad-domain= example.com
app.ad-server= ldap://adds.example.com.tr/
app.service-principal= HTTP/local_pc.example.com.tr@EXAMPLE.COM.TR
app.keytab-location= local_pc.keytab
app.ldap-search-base= OU=All Users,DC=example,DC=com
app.ldap-search-filter= "(| (userPrincipalName={0}) (sAMAccountName={0}))"

As a result we cannot get srcName of GSSContext. This gssName variable equals to null. Related SunJaasKerberosTicketValidator code block is as below;

@Override
public KerberosTicketValidation run() throws Exception {
    byte[] responseToken = new byte[0];
    GSSName gssName = null;
    GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
    boolean first = true;
    while (!context.isEstablished()) {
        if (first) {
            kerberosTicket = tweakJdkRegression(kerberosTicket);
        }
        responseToken = context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
        gssName = context.getSrcName();
        if (gssName == null) {
            throw new BadCredentialsException("GSSContext name of the context initiator is null");
        }
        first = false;
    }
    if (!holdOnToGSSContext) {
        context.dispose();
    }
    return new KerberosTicketValidation(gssName.toString(), servicePrincipal, responseToken, context);
}

As we searched this GSSContext with null SrcName error, in general suggested solutions are related to keytab file . But in our problem, we cannot even reach AD server as we mentioned in the beginning.

related link: GSSContext with null SrcName

Is there any other suggestion?

Thanks...

Zahid Arikan
  • 81
  • 3
  • 1
    DNS needs to be working in order to find Active Directory servers. Secondly, application might need a C:\Windows\krb5.ini file setup to help locate the KDC in Active Directory. That file does not exist by default on Windows. – T-Heron Jan 18 '18 at 12:47
  • 1
    @T-Heron Thanks for your help. We tried to set krb5.conf file path like the sample below, but couldn't solve. https://stackoverflow.com/questions/41720878/spring-boot-with-spnego-kerberos-config-issues-a-servletcontext-is-required We developed our sample using this url below. Is it correct way to set as it is stated in the previous url, or is there any other way to set this file path? https://github.com/spring-projects/spring-security-kerberos – Zahid Arikan Jan 22 '18 at 14:55
  • Let's see your krb5.conf. – T-Heron Jan 22 '18 at 15:06
  • @ZahidArikan do you have a solution? – Devrim Mar 16 '18 at 21:02

0 Answers0