Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updates to spnego doc

This commit is contained in:
Jesse McConnell 2012-02-21 08:40:20 -06:00
parent c06df6cbbd
commit c771766aae
1 changed files with 2 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
jetty-security/src/main/config/etc/README.spnego
View File

@ -11,7 +11,7 @@ The easiest place to put these lines are in the start.ini file.
For debugging the spengo authentication the following options are helpful: For debugging the spengo authentication the following options are helpful:
Dorg.eclipse.jetty.util.log.DEBUG=true -Dorg.eclipse.jetty.LEVEL=debug
-Dsun.security.spnego.debug=all -Dsun.security.spnego.debug=all
@ -62,54 +62,4 @@ embedded, via the jetty.xml or in a context file for the webapp.
</Get> </Get>
Important Configuration Files: 8
spengo.properties - configures the user realm with runtime properties
krb5.ini - configures the underlying kerberos setup
spnego.conf - configures the glue between gssapi and kerberos
It is important to note that the keytab file referenced in the krb5.ini and the spengo.conf files needs to
contain the keytab for the targetName for the http server. To do this use a process similar to this:
On the windows active domain controller run:
> setspn -A HTTP/linux.mortbay.org ADUser
To create the keytab file use the following process:
> ktpass -out c:\dir\krb5.keytab -princ HTTP/linux.mortbay.org@MORTBAY.ORG -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
This step should give you the keytab file which should then be copied over to the machine running this
http server and referenced from the configuration files. For our testing we put the keytab into the etc
directory of jetty and referenced it from there.
Setting up your Browser:
Firefox:
* browse to about:config and agree to the warnings
* search through to find the 'network' settings
** set network.negotiate-auth.delegation-uris to http://,https://
** set network.negotiate-auth.trusted-uris to http://,https://
IE:
* Tools -> Options -> Security -> Local Intranet -> Sites
** make sure everything is checked here
* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced
** add url to server (http:// and/or https://) making sure to use the hostname
* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -> Close
* Tools -> Options -> Security -> Local Intranet -> Sites -> Ok
* Tools -> Options -> Advanced -> Security (in the checkbox list)
** locate and check 'Enable Integrated Windows Authentication'
* Tools -> Options -> Advanced -> Security -> Ok
* close IE then reopen and browse to your spengo protected resource
NOTE: you must go to the hostname and not the IP, if you go to the IP it will default to NTLM authentication...the following conditions apply to having spnego work
* Intranet Zone
* Accessing the server using a Hostname rather then IP
* Integrated Windows Authentication in IE is enabled, the host is trusted in Firefox
* The Server is not local to the browser
* The client's Kerberos system is authenticated to a domain controller