I made SPNEGO authentication for my web apps. During development I met a problem authenticating users using keytab file for HTTP services:
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:
1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:
1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line
[libdefaults]
default_tkt_enctypes = arcfour-hmac-md5
This is most important thing. This line resolves "Checksum failed" problem
2. On a client:
kinit username
Password for username@MYSERVICE.COM:
after successful authentication in Kerberos domain we can access Kerberized web apps using curl:
curl -v -k --negotiate -u : --cacert /etc/ipa/ca.crt https://myservice.com:8090/krb
3. In FireFox, print about:config in address bar -> I promise -> then find
network.negotiate-auth.delegation-uris value http://,https://
network.negotiate-auth.trusted-uris value .myservice.com
Комментариев нет:
Отправить комментарий