вторник, 25 октября 2016 г.

Kerberos SPNEGO Checksum failed problem

I made SPNEGO authentication for my web apps. During development I met a problem authenticating users using keytab file for HTTP services:

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:

1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line

[libdefaults]
default_tkt_​enctypes = arcfour-hmac-md5

This is most important thing. This line resolves "Checksum failed" problem

2. On a client:
kinit username
Password for username@MYSERVICE.COM: 

after successful authentication in Kerberos domain we can access Kerberized web apps using curl:
curl -v -k --negotiate -u :  --cacert /etc/ipa/ca.crt  https://myservice.com:8090/krb

3. In FireFox, print about:config in address bar -> I promise -> then find
network.negotiate-auth.delegation-uris​     value     http://,https://
network.negotiate-auth.trusted-uris           value     .myservice.com​



Комментариев нет:

Отправить комментарий