Versions Compared

Old Version 2

changes.mady.by.user Ashish Jain

Saved on

compared with

New Version 3

changes.mady.by.user Ashish Jain

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Spnego with geronimo requires 3 machines namely a Client machine, a server machine and a Microsoft active directory domain controller. Client and server machine should be part of the active directory domain.

Table of Contents

Setting up the Active Directory Domain Controller

...

  • Create a user in the active directory. Make sure that user you create is unique and not listed in Computers or domain controllers. In our case we have created a user called testuser with the password testuser123.
  • Map the service principal name to the user account you created in the previous step. A service principal name(SPN) is HTTP/<Fully_Qualified_Host_Name>. In our case SPN is HTTP/test.xyz.com. You can run the following command to map the SPN to user account.
    C:\Program Files\Support Tools>setspn -A HTTP/test.xyz.com testuser.
  • Next step is to create a keytab file. Run the following command
    C:\Program Files\Support Tools>ktpass -out c:\winnt\krb5.keytab -princ HTTP/test.xyz.com@XYZ.COM -mapUser testuser-mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

With this step we are done with setting up the Active Directory domain controller machine.

Setting up the client machine

On the client machine we need to configure the browser for spnego. Internet Explorer can be configured as follows:

  • Go to Tools->Internet Options-> Security-> Local Intranet->Sites. Check all the 3 boxes.
  • Go to Tools->Internet Options-> Security-> Local Intranet->Sites-> Advanced. Add the name of the server host machine. In our case we have added it as follows http://test.xyz.comImage Added. Select Ok.
  • Go to Tools->Internet Options-> Security-> Local Intranet. Select Custom Level. Browse down to the bottom to see if Logon is set as "Automatic Logon in Intranet zone".
  • Tools->Internet Options->Advanced. Check that "Enable Integrated Windows Authentication(requires restart) is selected.

Mozilla Firefox can be configured as follows:

  • In the url address bar type about:config and press enter.
  • In the filter enter network.nego. This lists 5 properties. Modify
    network.negotiate-auth.delegation-uris and add http://,https://
    network.negotiate-auth.trusted-uris and add http://,https://
  • Once done restart the browser.

This sets up your client machine make sure you login to the client machine within the active directory domain.