You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Spnego with geronimo requires 3 machines namely a Client machine, a server machine and a Microsoft active directory domain controller. Client and server machine should be part of the active directory domain.

Setting up the Active Directory Domain Controller

  • Create a user in the active directory. Make sure that user you create is unique and not listed in Computers or domain controllers. In our case we have created a user called testuser with the password testuser123.
  • Map the service principal name to the user account you created in the previous step. A service principal name(SPN) is HTTP/<Fully_Qualified_Host_Name>. In our case SPN is HTTP/test.xyz.com. You can run the following command to map the SPN to user account.
    C:\Program Files\Support Tools>setspn -A HTTP/test.xyz.com testuser.
  • Next step is to create a keytab file. Run the following command
    C:\Program Files\Support Tools>ktpass -out c:\winnt\krb5.keytab -princ HTTP/test.xyz.com@XYZ.COM -mapUser testuser-mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

With this step we are done with setting up the Active Directory domain controller machine.

Setting up the client machine

On the client machine we need to configure the browser for spnego. Internet Explorer can be configured as follows:

  • Go to Tools->Internet Options-> Security-> Local Intranet->Sites. Check all the 3 boxes.
  • Go to Tools->Internet Options-> Security-> Local Intranet->Sites-> Advanced. Add the name of the server host machine. In our case we have added it as follows http://test.xyz.com. Select Ok.
  • Go to Tools->Internet Options-> Security-> Local Intranet. Select Custom Level. Browse down to the bottom to see if Logon is set as "Automatic Logon in Intranet zone".
  • Tools->Internet Options->Advanced. Check that "Enable Integrated Windows Authentication(requires restart) is selected.

Mozilla Firefox can be configured as follows:

  • In the url address bar type about:config and press enter.
  • In the filter enter network.nego. This lists 5 properties. Modify
    network.negotiate-auth.delegation-uris and add http://,https://
    network.negotiate-auth.trusted-uris and add http://,https://
  • Once done restart the browser.

This sets up your client machine make sure you login to the client machine within the active directory domain.

Setting up your geronoimo server machine

  • Make sure you login to this machine within the active directory domain.
  • Install geronimo on the server machine.
  • Copy the krb5.keytab created in #3 of "Setting up the Active Directory Domain Controller" to C:/winnt of server machine.
  • Copy the krb5.ini file to C:/winnt of server machine. A sample krb5.ini for your reference
    krb5.ini
    [libdefaults]
default_realm = XYZ.COM
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
forwardable=true


[realms]
XYZ.COM = {
 		kdc = ram1.xyz.com:88
}

[domain_realm]
xyz.com= XYZ.COM
.xyz.com = XYZ.COM
  • Set up the following parameters before starting the server.
    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true
    Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be able to use spnego.
  • Start the server with "geronimo.bat run" command.
  • Create a realm for spnego. You can create a realm for fallback once spnego fails. For reference here is a sample spnego realm. This
    realm is a combination of spnego and properties realm. In case your spnego authentication fails the authentication will fallback on
    properties realm.
    spnego_properties_realm.xml
    <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>SpnegoTest</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">SpnegoTest</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>SpnegoTest</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
                    <log:option name="targetName">http/test.xyz.com</log:option>
                    <log:option name="ldapUrl">ldap://ram1.xyz.com:389</log:option>
		    <log:option name="ldapLoginName">ashish</log:option>
		    <log:option name="ldapLoginPassword">ashish123</log:option>
	            <log:option name="searchBase">DC=xyz,DC=COM</log:option>
                </log:login-module>
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>demo-properties-realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option name="usersURI">var/security/demo_users.properties</log:option>
                    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>
  • Develop an application and make sure you use BASIC as the authentication mechanism in your web.xml.
  • Access the protected resource of the application from the Client Machine. You should be able to access the resource without any prompt for username and password.
  • Now access the protected resource from a machine which is not part of active directory domain. In this case spnego login will fail and it will fallback on the properties file login. Input the credentials and you will be able to access the resources.

Few very important points to note:

  • Make sure that you use Basic as the authentication mechanism in your web application if you want to configure Spnego with geronimo.
  • The realm provided is a combination of 2 login modules which can be easily created through geronimo administrative console.
  • While you are creating a security realm for Spnego loginmodule you need to just specify one option that will be of the form "targetName=http/<fully_qualified_host_name>". Have a look at the sample realm. This will give you an idea of the option to be used.
  • Make sure you choose sufficient as the control-flag while creating the 2 login modules.
  • Make sure you map only one user to SPN as defined in #2 of "Setting up the Active Directory Domain Controller".
  • No labels