4

I want to use Kerberos to do auth to an IIS kerberos protected web site from a Java application. The goal is to be able to use a keytab file to authenticate with a service account without specifying a username and password.

This describes how to use http client to auth using kerberos. But it requires a couple special configuration files login.conf and krb5.ini.

The format is the login conf is described here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html

The format of the krb5.ini file is described here: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

I also found some related sof articles (listed below).

But none of them seem to describe the process of actually creating the login.conf file and the krb5.conf/krb5.ini file for use against Active Directory.

What are steps to generating these files for use with a Windows Active Directory kerberos situation?

Here's what I have so far, but I'm completely going off of examples I've found from friends and random links around the web.

login.conf

KrbLogin {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab="file:///C:/kerb/kerberos500.keytab"
  useTicketCache=true
  principal="kerberos500@FUSIONIS.LIFE"
  debug=true;
};

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab="/home/ndipiazza/lucidworks/httpclient-tester/kb.keytab"
  useTicketCache=true
  principal="kerberos500@FUSIONIS.LIFE"
  debug=true;
};

krb5.ini

[libdefaults]
    default_realm = FUSIONIS.LIFE
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
    default_tgs_enctypes = aes128-cts-hmac-sha1-96  rc4-hmac
    permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    udp_preference_limit = 1

[realms]
FUSIONIS.LIFE = {
   kdc = 192.168.1.71
   admin_server = 192.168.1.71
}

[domain_realm]
.fusionis.life = FUSIONIS.LIFE
fusionis.life = FUSIONIS.LIFE

Create the keytab on Windows

ktpass /princ kerberos500@FUSIONIS.LIFE /pass password /ptype KRB5_NT_PRINCIPAL /out kerberos500.keytab

Creating the KeyTab on Ubuntu Linux

ktutil
addent -password -p kerberos500@FUSIONIS.LIFE -k 1 -e RC4-HMAC
- it will ask you for password of kerberos500 -
wkt kerberos500.keytab
q

Related sofs:

HttpClient set credentials for Kerberos authentication

Simple Kerberos client in Java?

Where is the krb5.ini file in alter Windows file gone?

Nicholas DiPiazza
  • 10,029
  • 11
  • 83
  • 152
  • I think after asking this, the answer is -> use the documentation links i provided to learn what to put in these files, then set them yourself. finding an example to get you started is useful (which i've already done). there is no command to build these. it's totally manual. – Nicholas DiPiazza Apr 04 '18 at 16:36
  • 1
    Please make your comment into an answer and self-mark it as accepted. It is OK to do this. This also signposts it to others who may also be searching about this same problem. – T-Heron May 01 '18 at 11:09

1 Answers1

4

I think after asking this, the answer is -> use the documentation links i provided to learn what to put in these files, then set them yourself. finding an example to get you started is useful (which i've already done). there is no command to build these. it's totally manual.

Nicholas DiPiazza
  • 10,029
  • 11
  • 83
  • 152