Integrated Windows Authentication (SPNEGO) for Web Applications on JBoss EAP 6.1

Posted: July 7th, 2013 | Author: | Filed under: Technology | Tags: , , | 16 Comments »

Generate a Keytab File

A keytab file is key (no pun intended) to authentication process as it allows for a user or service to log in to Kerberos without having to be prompted with a password. Contained within keytab files are pairs of Principals. In our case, we will need to create a Service Principal Name (SPN) that will represent our JBoss Server and store this value in the keytab file. A SPN is a key component as it represents the JBoss server within Kerberos. Without this configuration, clients would be unable to locate the service, and thus our web application. This process of generating the keytab file itself is the point where the majority of issues arise while configuring the entire integrated authentication process. At a high level, here are at the steps involved:

  1. Create a user account within Active Directory to represent the service
  2. Create a SPN to identify the service
  3. Generate the keytab file

The following steps require access by a user with appropriate rights on the Windows Domain Controller. Hopefully you have a good relationship with these members of your team (if you do not have these rights already).

Create a user account

Within the Active Directory Users and Computers console, create a new User Account. It is important that this be a regular user account and not a machine account. In addition, this account should never be used to log on to a machine by an actual human. Give the user a name and login name and press Next. Enter a password for the user. For example, the user name as “eapdevserver” password “test1234” will be used in subsequent examples. Since this account is acting as a service account, select “The user cannot change password” and “Password never expires” options and select Next. Finally, verify the user settings and click Finish.

If you are still operating in a Windows 2003 or earlier domain environment, additional steps are required. Open the properties for the user created previously by right clicking on the user and selecting Properties. Navigate to the Accounts tab. Check “Use DES encryption types for this account” and “Do not require Kerberos preauthentication”. These settings are required due to the supported encryption types in these versions of Windows. Since the account tab is open, the Kerberos realm name can also be obtained. In the Kerberos world, a realm is a set of managed nodes which share the same database. The realm name is located on the right side under the User logon name (in the form @DOMAIN.ORG). Kerberos requires that the name of the realm be specified in all uppercase. All subsequent examples where realm name is required will use the example realm name JBOSS.ORG.

Create the Service Principal Name

The setspn utility allows for the manipulation Service Principals. It is used to create a service principal for the user previously created. A service principal takes the following form:

serviceclass/host

Since the web application is communicating via the HTTP protocol, HTTP is the service class. The host is fully qualified domain name (FQDN) of the JBoss server. The FQDN of the JBoss server in this discussion is eapdev.jboss.org. To add a Service Principal, the command takes the following format:

setspn –a HTTP/<host> <username>

Run the following command on the Domain Controller:

setspn –a HTTP/eapdev.jboss.org eapdevserver

Executing the setspn command above is not required as the subsequent ktpass utility command will automatically perform this operation. However, it is useful to demonstrate commands which can be used to manipulate Service Principals.

Generate the Keytab File

Finally, the ktpass utility is used to generate the keytab file itself by mapping the service principal to the user account created previously. This file will be stored and used on the JBoss server. This generation process has caused a large amount of frustration due to the numerous options provided by the utility and the strict rules governing Kerberos authentication.

First, a word on keytab files. Think of them as a snapshot in time for the mapped user account. Any modifications to the account will require the generation of a new keytab file. Creating a keytab file for a JBoss server running in an Windows 2008 domain environment uses the following format:

ktpass /princ HTTP/<fully_qualified_host_name>@ /pass "" /mapuser “domain\<user>” /out <keytab_file_name> /ptype KRB5_NT_PRINCIPAL /kvno 0 /crypto RC4-HMAC-NT

Based on the example user and JBoss server from this discussion, execute the following command which will generate the keytab file:

ktpass /princ HTTP/eapdev.jboss.org@JBOSS.ORG /pass "test1234" /mapuser “JBOSS\eapdevserver” /out eapdev.keytab/ptype KRB5_NT_PRINCIPAL /kvno 0 /crypto RC4-HMAC-NT

There are certainly a number of options used in the above command. While several of these options are fairly self explanatory, there are several that could use an extended discussion:

  • ptype – The principal type. This is the recommended option value
  • kvno – The key number version. The version contained within the keys must match the version on the Key Distribution Center (KDC; a component of Active Directory). We specify the key number explicitly to ensure this is the case.
  • crypto – The type of keys that will be generated for the keytab. RC4-HMAC-NT is the default. However, stronger encryption such as AES128-SHA1 or AES256-NT. On Windows 2003 and earlier domain environments, the only options available are either DES-CBC-CRC or DES-CBC-MD5. Windows 7 and higher do not support DES keys by default for Kerberos authentication. Additional configuration steps are required for authentication to succeed.

Copy the generated keyfile to a location on the JBoss server.


16 Comments on “Integrated Windows Authentication (SPNEGO) for Web Applications on JBoss EAP 6.1”

  1. 1 Joey said at 9:53 am on July 8th, 2013:

    Good stuff man. I will have to give it a shot. Could be very useful for me 🙂

  2. 2 Alex said at 2:10 am on September 20th, 2013:

    Thanks a lot for that great tutorial. It’s the best and most comprehensive I’ve ever seen.

    Nevertheless I’ve been fallen (in my environment) into some traps and I want to share some hints:
    – the service user AND the calling user have to be flagged “AES256 for Kerberos enabled”; otherwise I’ve got a GSSException: “Checksum failed”; (maybe they only have to have the same encryptions enabled/disabled)
    – the SPN assigned to the service user is not allowed to be assigned to ANY other user
    – there may be a global Kerberos configuration (C:\Windows\krb5.ini) on the machine running the JBoss; check that for correct values
    – “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy” has to be installed on the server for AES256 support

    Some corrections:
    – the code of the login module is “UsersRoles” and not “UserRoles” (page 3)
    – the code of the login module is “SPNEGOUsers” and not “SPNEGO” (page 3)

    Maybe an interesting scenario to use SPNEGO for users logged into the domain, authenticate users not logged into the domain (e.g. working with a local account) using username/password against AD but load roles from AD in both cases:

    Thank you!

  3. 3 sabre1041 said at 10:31 pm on September 23rd, 2013:

    Alex,

    Thanks for the sharing some of your experiences with SPNEGO in your environment. I’m sure others implementing in a more secure environment will find the information very useful.

    In addition, good catch pointing out the error with the UsersRoles login module. I have gone in and made the appropriate corrections to the post.

    The SPNEGO login module can be represented as either SPNEGOUsers or just plain old SPNEGO. The EAP 6.1 Security Guide has examples of both implementations.

    Certainly an interesting scenario you poised. You may be able to accomplish this by chaining login modules and tweaking their configuration types. Very interested to hear if you are able to accomplish this.

    – Andy

  4. 4 Chris said at 10:53 am on October 14th, 2013:

    Big thanks! Managed to get it to work without major hiccups.

    Is it possible to make this work without using roles? That is, any user that is authenticated in Active Directory would be able to log in without requiring extra configuration in the roles.properties.

  5. 5 sabre1041 said at 12:15 pm on October 27th, 2013:

    Chris, you can use the AdvancedLdapLoginModule. See the following link for more information on how to configure it with SPNEGO:

    https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Negotiation_User_Guide/ch02s04s02.html

    Example Configuration:
    https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Negotiation_User_Guide/apas02.html#AdvLDAP_on_AD

  6. 6 Elton said at 1:49 pm on March 7th, 2014:

    I currently have CAS configured with JBOSS 5 and need to move over to JBOSS 7. I already have keytab files and SPNs generated.
    I have 2 configurations. 1. Username and password is the same (default) 2. SPENGO authentication to Active Directory. The new CAS zip file needs to be build with Ant or Maven. I did not see mention of that in your post. is there something I am missing?

  7. 7 John said at 1:22 pm on March 17th, 2014:

    Many, many thanks for this. I managed to get IWA working with our app without to many problems thanks to your very clear blog.

    I wondered if you knew of any way that an application could be configured to use SPNEGO/IWA if available and to fall back to a form based authentication if not?

  8. 8 sabre1041 said at 10:47 pm on April 1st, 2014:

    John,

    You can add a form-login-config section to the login-config section of your web.xml. If SPNEGO authentication fails, it will fallback to the form based authentication

  9. 9 vrm said at 5:31 am on May 16th, 2014:

    I configured the jboss-eap-6.1 as mentioned in this tutorial when I test the negotiation toolkit security domain shows following error unable to obtain the password from user and secured showing 401 , can any one help

  10. 10 Spring Security without a login form | Questions and Answers Resource said at 12:37 pm on December 30th, 2014:

    […] The first thing that I need to do is identify who the user is. After reading Block 87’s article, I should start looking at SPNEGO and setting up each of the environments. From that point, I […]

  11. 11 Srini said at 10:38 am on October 1st, 2015:

    Hi Andy,

    Thanks a lot for very great tutorial on integrated windows authentication for web applications and it is very well described step by step in good detail.

  12. 12 Shyam said at 3:56 am on November 4th, 2015:

    Hi,
    I am configuring kerberos for JBOSS EAP 6.4. I followed all the steps mentioned in link https://access.redhat.com/webassets/avalon/d/Red_Hat_JBoss_Enterprise_Application_Platform-6.4-How_to_Setup_SSO_with_Kerberos-en-US/Red_Hat_JBoss_Enterprise_Application_Platform-6.4-How_to_Setup_SSO_with_Kerberos-en-US.pdf but getting
    15:24:43,139 INFO [stdout] (http-/127.0.0.1:8080-1) [Krb5LoginModule
    ] authentication failed
    15:24:43,140 INFO [stdout] (http-/127.0.0.1:8080-1) Client not found in Kerbero
    s database (6)

  13. 13 Patel said at 5:03 pm on February 18th, 2016:

    Hi everyone:I’ve aadelry completed each step of these processes. AD Users are able to authenticate through SQUID to surf by internet, BUT!! after 2 hours -sometimes more or less- suddenly some users -one or two- couln’t surf by Internet Internet Explorer requests for new credentials (user/password).. Then AD users type them, but They aren’t able to surf by internet I checked that an AD user type user/password correctly but the prompt appears every time From cache.log these lines are recorded:: -2011/02/10 17:58:15| squid_kerb_auth: Got YR YIIGJgYGKwYBBQUCoIIGGjCCBhagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBeAEggXcYIIF2AYJKoZIhvcSAQICAQBuggXHMIIFw6ADAgEFoQMCAQ6iBwMFACAAAACjggS7YYIEtzCCBLOgAwIBBaENGwtHSUxBVExBLkNPTaIoMCagAwIBAqEfMB0bBEhUVFAbFVBFUFJPWFkwMS5HSUxBVExBLkNPTaOCBHEwggRtoAMCARKhAwIBAqKCBF8EggRb0CrGoBRyYtVTklzkviLTrUm2PaUeSEwiOnTMPXpXZpiqlXeIzc7EyCtLUu5YIjr8kfWunnManLdfPzFZzvlpwSV5XgpvYimVwwjijX+1M6ASwLQAoMuW7p9Km7ebFGenPsfD2stMiKvi+abaw0oqp3262aYsQKCcN+qDXyU7whJ2Li9tr3MeRnYEc6QLXMbB2CDThA7KkRf+HosCJD54W8Wofk3h0RKERMYpUkfugI2kfakkcZS/QVE241CMj8Y+iF6YwcQTOZ1FLikPveTuZu4wbkR2ywyI5/OYq1iU5oKRmh+iG3XIUMdv8vtJ3c74zrwfAS387D1wfPVw1mnoCDC6mg2NtQa2POrEsJV116fakrRt6dDRK8v6uKFXyytkZG5H+9R8cwaYXYMhGvMVAd46RB62PYerDon0V/UZh9A8Yhr9xfmnQekvIgcZYlD2a8c+SgwRf3EoOYTxa2XF93uzyLM7N/7uw+Ud0J0oSlTOOZ8N5awJ43ISC+xVsqX+lHlEDhpGhYjxfLK6EZoOxdJA9eoWWDMkndgsAhRnK06kuwZWLxGq9m1QjX1THqTy+CK0NcD7FVEJ7DpVVWYHEZoETpJN6QmwIZnPq5TsJcRzOJiL03VtKZiM01vtUGTIw5bXTQZMZFA16GlTK1j0jynjxTMDCMGzJ0prk7q6Z4jtvRga3EJdgRf0HmsUDG/r+/lDECkpPV3L7drYCdqJuyJxdMOfJM5sqNtGKK/qKYlilkfAhwOPqk/hLIue3My44Am7vj8IaJkExpK1DpN3fcRIFwUlwf81CxI1jBF4wTfHlRdYwXVgci1pxlA8wnlD24Ebiacwz9EwQfj2VkUrZoeAyt3/gZrhVxyDfSyvhQcjXcLbUDGdOPjKdki4BVGhIo3wGN+1ZZjGnitDusb4ONIiU5Md1g6d325smXiLWvSFtiBhbVBFB6CByXLx18JJ57DVSgxjkVO6nhTloltEAb8vpsXipgHkeOkmFAcAILqtugP2jFe5kwE/aZ5X9kZTXCiRaOqJItniATP2a3DPqSP0Bpp0mHx6xZv3ZzPy50rZ1aKOGj5rUlVW/YuuW2ULB2weyen44OMvkhceLFAsXppnlAmQUFB5xf5Xy2HjEuktOi8Ka7lfR2rbaYykVaEWE3DEHbd8iF8Ws1emBIaSLekMtc9HjOq4DWdXYTTOmxPLbIvuagmjGqffaDnLIBhjV7IG6q07sah0cTVGdylq/qkGTjyxi/F0f1Pk8uEncVLQ9Kib4lq9+h5OOykifeAtboTSf09skjpMB+G7qa3QD+YOiiqA4PpolEnVrHFCbMm69USlfcppzQ2zklQIEIFNOAzWRkktVgqy74B8I8SWsPLCWz54Y3IvdS8nQYElCPd821QDjAao9vFuYOnELLmpAG0R5sEODqb+EKzXecsXr5vxVoBn5m9TgfbI6XCxQVfADaaaA1O9yhd3JNI6IeH69cWH0mhil68HxQOkge4wgeugAwIBEqKB4wSB4NRMfqBGyTBUUvPKKu1cKscC63v+d5WPmFbyYUYdZ0EB/USQZWSnhWMvbEWFLiRYThJG6UL4op4nNGuw+GuW6PKQi+eB97o4NSGqWN2kvtHtc0YAGSmMma17xIkhUfRtd9j1k/+K6kIKCFN96hDiapeppnE3Tj5fy0MQf+atYDaKV35ai7guVPFxRZFfBvvRdkLntEPAqy4JjIL8ySeUUYaaqyYM97Z6Db43KodJceoECCRZZ6Y1SELwFcKpBoBlGj670kZH1hPKwsncy80TxHSjz1xU1hgYBDRbKjtYP0cH’ from squid (length: 2107).2011/02/10 17:58:15| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found -I’ve been using:+RHEL 5.0+SQUID 3.0+modules: (squid_kerb_auth1.0.7 and squid_kerb_ldap1.2.1a) from squid.confI’ve configured the option debug_options ALL,1 33,2 28,9 in order to get more records.. but all these records aren’t useful.Can somebody help?Thanks in advance.

  14. 14 Ananta Aryadewa said at 9:54 am on June 27th, 2016:

    Great post and detailed explanation. However, I still have no clue how to implement this in the servlet. I am working on a Struts 1.3 app. And I need to add the SSO with the existing login system – backed in RDBMS. Is there any sample codes or a clue to implementing the SSO auth within an existing webapp?

  15. 15 Binh Thanh Nguyen said at 5:50 am on August 9th, 2016:

    Thanks, nice post

  16. 16 Peter said at 11:48 am on September 13th, 2016:

    Let’s discuss the not so uncommon case where there are not one but several Web Application servers. For example these may be duplicates of the same application (prod, uat, dev, etc) or they may simply be running different application.

    In this case would you recommend to create one AD account per app server or would it suffice to have only one AD account in ttal ? Of course the SPN and the keytab file needs to be per-server, I understand that much, but I’m not sure why you would need one AD account per server ??


Leave a Reply