Comments (2)
Kerberos erros can be misleading.
I would say that following lines look suspicious:
<property name="servicePrincipal" value="HTTP/[email protected]"/>
<property name="keyTabLocation" value="file:C:\Temp\foobar.keytab"/>
Say you have an AD account for your server called srv_server
DNS name of your server (A-record ideally) is foo.bar
and your srv_server
account has HTTP/foo.bar
SPN associated with it.
In this case you should create keytab for account srv_server
(it's case sensitive; you wouldn't get an error when creating keytab if you mess up something) and use srv_server
as servicePrincipal
property.
Hope it helps.
from kerb4j.
@bedrin thanks for the help.
one more question: so the srv_server
is the name of the account, and the servicePrincipal
's value should be srv_server
as well?
<property name="servicePrincipal" value="srv_server"/> <!-- as here -->
with this setup I got the following stacktrace:
Stack trace:
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
...
Edit:
If I list the keytab file it contains the following info:
$ java sun.security.krb5.internal.tools.Klist -k -t /c/Temp/app.keytab
Key tab: C:/Temp/app.keytab, 5 entries found.
[1] Service principal: HTTP/[email protected]
KVNO: 5
Time stamp: Jan 01, 1970 01:00:00
[2] Service principal: HTTP/[email protected]
KVNO: 5
Time stamp: Jan 01, 1970 01:00:00
[3] Service principal: HTTP/[email protected]
KVNO: 5
Time stamp: Jan 01, 1970 01:00:00
[4] Service principal: HTTP/[email protected]
KVNO: 5
Time stamp: Jan 01, 1970 01:00:00
[5] Service principal: HTTP/[email protected]
KVNO: 5
Time stamp: Jan 01, 1970 01:00:00
from kerb4j.
Related Issues (20)
- Split package errors
- Can the library use windows ticket cache to fetch the currently logged in user's credentials? HOT 3
- Checksum fails with kerb4j but passes with Spring Security Kerberos HOT 1
- Expose information about encryption method used (etype)
- Warn (and potentially fail) if RC4 or DES are used
- Accept Context shouldn't obtaing TGT by default
- Make API more open
- Support credentials delegation
- Test password expiration / accounts expiration cases and kerb4j cache
- Meaningfull exceptions
- Promote acceptOnly client to initiator automatically on demand
- Make all classes extendable (i.e. non final, without non public constructors) to simplify customizations
- Provide API for Kerberos configuration as opposed to providing path to file
- Implement different engines (JRE, Kerby, Waffle, own)
- Remove dependency on spring-security
- Do we have the plan to upgrade Kerby to 2.0.3 to mitigate CVE-2023-25613? HOT 3
- Support for Jakarta EE + Spring Kerberos 2.x HOT 5
- How can you use keytab based auth for proxy and user based basic auth for actual URL?
- Wrong SIDs returned in PacLogonInfo.resourceGroupSids
- How to provide different credentials to the service being called?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kerb4j.