Ho provato per diversi giorni per farlo funzionare. Finora sto ottenendo l'errore Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
:, sebbene a volte con una modifica di ktpass l'errore si riferisca invece ad AES128.
Ho letto "Capitolo 2. Come configurare SSO per JBoss EAP con Kerberos" e ho letto molti (molti, molti) post. Inizialmente stavo usando Tomcat 8 con il progetto SPNEGO sourceforge e l'ho ottenuto lavorando con il mio progetto GWT (2.8.2). Nessuna fortuna ancora se il JBoss. Nel ktpass di seguito ho provato / kvno 0 e 1, 2, 3, 4 e omettendolo del tutto, ma non ha fatto alcuna differenza, tranne per il fatto che (credo) il messaggio di errore si è lamentato (alternativamente) di AES128 e quindi 256. Ottengo questo errore quando si prova con Firefox. Se uso IE 11 non capisco, richiede un utente e una password (che è stata una sorpresa). Se inserisco le mie credenziali non dà l'errore, dice solo:
Debug is true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/user1/dev/spnego.keytab refreshKrb5Config is true principal is HTTP/u1604ecm@MYCOMP.CO.UK tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
principal is HTTP/u1604ecm@MYCOMP.CO.UK
Will use keytab
Commit Succeeded
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
La mia configurazione è sotto. Se qualcuno riesce a individuare qualcosa di sbagliato, sarei molto grato. Standalone.xml (cose che ho aggiunto):
<system-properties>
<property name="java.security.krb5.kdc" value="mykdc.mycomp.co.uk"/>
<property name="java.security.krb5.realm" value="MYCOMP.CO.UK"/>
<property name="java.security.krb5.conf" value="/home/user1/dev/krb5.conf"/>
<property name="jboss.security.disable.secdomain.option" value="true"/>
<property name="java.security.krb5.debug" value="true"/>
</system-properties>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storekey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/u1604ecm@MYCOMP.CO.UK"/>
<module-option name="keyTab" value="/home/user1/dev/spnego.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="app-spnego" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
</security-domain>
krb5.conf:
[libdefaults]
default_realm = MYCOMP.CO.UK
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
MYCOMP.CO.UK = {
kdc = mykdc.mycomp.co.uk
}
[domain_realm]
MYCOMP.CO.UK = MYCOMP.CO.UK
.MYCOMP.CO.UK = MYCOMP.CO.UK
jboss-web.xml:
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_10_0.xsd">
<security-domain>app-spnego</security-domain>
<jacc-star-role-allow>true</jacc-star-role-allow>
</jboss-web>
web.xml:
<security-constraint>
<display-name>Security Constraint on Conversation</display-name>
<web-resource-collection>
<web-resource-name>ivwb</web-resource-name>
<url-pattern>*.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>All</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>Role required to log in to the Application</description>
<role-name>All</role-name>
</security-role>
ktpass:
ktpass -princ HTTP/u1604ecm@MYCOMP.CO.UK -pass mypass -mapuser authcheck@MYCOMP.CO.UK -out c:\spnego.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
C:\Users\administrator.MYCOMP>setspn -l authcheck
Registered ServicePrincipalNames for CN=Authentication User,CN=Users,DC=mycomp,DC=co,DC=uk:
HTTP/u1604ecm
HTTP/u1604ecm.mycomp.co.uk
HTTP/u1604ecm@MYCOMP.CO.UK
C:\Users\administrator.MYCOMP>setspn -l u1604ecm
Registered ServicePrincipalNames for CN=U1604ECM,CN=Computers,DC=mycomp,DC=co,DC=uk:
Grazie Mark.