3

I'm having a problem to setup SSO for the intranet websites. Currently i'm working with Tomcat 8.0 and Waffle 1.8.4. They work great, but there is only 1 problem: the browsers (Firefox and IE after the settings were applied as described here and here) can not do Kerberos authentication, only NTLM.

I analyzed the traffic with Wireshark, Tomcat sends the http header field "WWW-Authenticate" and the browser answers a base64-encoded string in the header field "Authentication", that contains NTLMSSP. I guess this is not Kerberos, or is it ?

I read a post (WWW-Authenticate uses NTLM and not Kerberos), that for Kerberos to work, the server has to be registered in the AD with the command setspn.exe. I try to get the right syntax for setspn (described here), but without any luck. The server has the following parameters:

  • IP: 10.0.0.1

  • Service: Tomcat-Http

  • Port: 8080

  • Accountname: company-net\foobar

I use this command for setspn:

setspn -A "HTTP/10.0.0.1:8080 company-net\foobar"

but not works. Both the server and the client are in the same Windows domain, using Windows 10.

What is wrong with it?

Do i need anything else ?

ThunderHorn
  • 1,975
  • 1
  • 20
  • 42
awgold90
  • 72
  • 13

1 Answers1

2

Kerberos relies on DNS (valid hostnames) and SPNs to function. Looks like you've done a bit of research so far which is good. What isn't that well known is that when you point an otherwise perfectly working fine Kerberos client to the IP of a host, rather than to it's DNS hostname, Kerberos will be bypassed and the fallback authentication mechanism will be employed instead - NTLM in this case.

Michael-O, the top Kerberos contributor to this forum, said it best with his answer about this back in 2012:

Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • 2
    Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ https://learn.microsoft.com/en-us/windows-server/security/kerberos/whats-new-in-kerberos-authentication – Steve Nov 14 '18 at 19:51
  • 1
    Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey ([1](https://support.microsoft.com/en-za/help/308339/registry-key-to-allow-session-keys-to-be-sent-in-kerberos-ticket-grant), [2](https://bugs.java.com/view_bug.do?bug_id=6722928)), so we have to use the Windows SSPI API (Waffle, [Nsspi](https://github.com/antiduh/nsspi) use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this? – awgold90 Nov 16 '18 at 10:03