1
votes

Team, I have a question on Single Sign On using Kerberos Authentication.

We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf . We are facing the an error saying that "Cannot get credential for principal service HTTP/[email protected]". Can someone help me in resolving the issue..?

Please post a comment if any additional information is required..

When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.

When I ran the command klist as per your input, I got the output as below

"Key table: /etc/krb5/pocsso.keytab

Number of entries: 1

[1.] principal: HTTP/[email protected] KVNO: 12 "

UPDATE .

Ticket cache: FILE:/tmp/krb5cc_38698 Default principal: [email protected] Valid starting Expires Service principal 01/09/2014 16:15 02/09/2014 02:21 krbtgt/[email protected] renew until 08/09/2014 16:15

2
How did you created keytab? Check if your host name is not server1.sw.mail.com (lower case). In general you probably have mismatch between server name and SPN in the keytab.Gas
Host name is same. Why it is trying to get the principal for SW.MAIL.COM instead of POC.MAIL.COMChilukuri
Because either you generated wrong keytab/SPN or you created wrong config in WAS. Your keytab should be generated to HTTP/[email protected] and in your WAS SPNEGO configu you should have server name as server1.SW.MAIL.COM and realm POC.MAIL.COMGas
How are you invoking kinit?Gas
I wrote you to create new keytab as the old one was wrong. Did you do it? What was the result? Attach to your question command line how you are creating keytab and contents of krb5.conf file.Gas

2 Answers

1
votes

Specify it only on the Global security > SPNEGO web authentication, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).

UPDATE
In the filter definition you should have:

Host name: server1.sw.mail.com  
Kerberos realm name:  POC.MAIL.COM  
Filter criteria: yourFilterCriteria
Trim Kerberos realm from principal name - checked  

See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console

Minimal configuration in web.xml for Java EE security. And you have to have Application Security enabled in the server configuration, and mapped userRole to some users/groups from registry.

<security-constraint>
        <display-name>constraint</display-name>
        <web-resource-collection>
            <web-resource-name>all resources</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>userRole</role-name>
        </auth-constraint>
    </security-constraint>
1
votes

A bit of a late answer.

Regenerate the keytab file by running the ktpass command as:

ktpass -out file.keytab -princ HTTP/server1.SW.MAIL.COM@POC.MAIL.COM -mapuser your-user -pass your-pwd -ptype KRB5_NT_PRINCIPAL

Solving the error:

org.ietf.jgss.GSSException, major code: 11, minor code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Cannot get credential for principal HTTP/[email protected]

boils downs to the following rules when generating the keytab file:

  • The principal service must follow the format

<service name>/<fully qualified hostname>@KerberosRealm

  • Double check the spelling of the principal service
  • The service name must be all upper case, that is HTTP and not http
  • The Kerberos realm must also be all upper case, and
  • The host name must be found in the /etc/host file or the DNS server.

Sources: