Questions tagged [spnego]
17 questions
10
votes
2 answers
Is this Kerberos/AD setup possible?
We have a slightly complicated IDAM setup:
I.e. the end user's machine and browser sit in one network with the parent AD, and our Jetty-based application and the AD that it can talk to (local AD) sit in the other.
There is a two-way trust between…
Rob Grant
- 103
- 6
4
votes
2 answers
Multiple SPNEGO authenticated web servers on one host name
I was trying to set up a Java service using the SPNEGO servlet filter and a listen port of 8080 for authentication on a host that is also running web applications hosted in IIS7.
I followed the SPNEGO installation instructions and created an SPN for…
themel
- 274
- 1
- 7
2
votes
0 answers
Delegation works on some browsers but not on others
I've been trying to make Kerberos delegation work across all browsers, but I'm having no luck. I'm running a Java web server on Linux and Windows.
Firefox (64 bit) on Linux: Receive the ticket and delegation works. I've set the preferences…
DetriusXii
- 21
- 1
2
votes
2 answers
Adding new SPNs to existing service ids
We have a tomcat server using spring-security kerberos to authenticate users to the webpage against active directory.
There are around 25 domain controllers.
The site has two CNAME based DNS aliases.
The site currently has one Service ID with SPNs…
jmh
- 146
- 4
2
votes
1 answer
NTLM token sent instead of Kerberos ticket
I am trying to implement kerberos SSO in our network using spnego on a tomcat server.
We have created an account (TCNKRBGINA) on the domain for the preauthentication, and setspn'ed it to the http server:
Setspn -A HTTPS/testtech.etat-ge.ch…
Maurice Perry
- 315
- 2
- 13
1
vote
1 answer
Kerberos - TCP client wants 1195725856 bytes, cap is 1048572
I'm having some difficulties debugging this error. I'm running nginx as an api gateway built to make a sub-request to kerberos whenever an endpoint gets called using the SPNEGO method. But whenever I attempt to make a requests with TGS ticket in the…
Kenpachi
- 11
- 2
1
vote
1 answer
WebSphere SPNEGO - Cannot get credential from JAAS Subject for principal
PROBLEM
I get an error trying to enable SPNEGO on the WebSphere application server (WAS ND, single node) 9.0.0.7 . I have succeeded on another server, but for this one I can't find the problem.
I get the following error…
nize
- 121
- 1
- 5
1
vote
2 answers
Machine Account Password Resets on server and invalid Kerberos tickets on client
According to this TechNet article https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ Machine Accounts (Computer Objects) reset internal passwords every 30 days.
Let's assume that this server is running IIS with…
arainchi
- 141
- 4
1
vote
3 answers
Httpd LimitRequestFieldSize not taken into account
I have a problem configuring httpd to accept large SPNEGO authentication headers.
The request work fine with Authorization header line of up to at least 5674 bytes but break with Authorization header of more than 6178 bytes with the following answer…
Sefa
- 111
- 1
- 4
1
vote
0 answers
JBoss SPNEGO Authentication Renewing Server Kerberos Tickets
We have successfully configured SPNEGO with our webapp on JBoss EAP 6.2, Windows Server 2008, and IE10 using JBoss Negotiation.
What is best operational practice for renewing the ticket issued to JBoss to minimize Administrator intervention? The…
praspa
- 111
- 3
0
votes
0 answers
The Kerberos client received a KRB_AP_ERR_MODIFIED error from server
I have a situation where Kerberos authentication is failing.
I have checked that the SPN is registered under the correct AD user account that runs the service that needs to use Kerberos to authenticate the user, and not the host itself.
The password…
Ringo
- 121
- 5
0
votes
1 answer
Shibboleth SPNEGOAuthnConfiguration in CentOS server
I have requirement were the user's were already joined to domain logged in using the same credential from ldap server, they don't want to enter it again to login into shibboleth SSO, so I searched over Shibboleth document, it already has support for…
CoolMonster
- 61
- 5
0
votes
2 answers
gssapi/kerberos/active directory/ubuntu - Wrong principal in request
I'm trying to setup a Clientserver with a Webservice to which Users of an Active Directory should be able to login with SSO.
I'm using SPNEGO with Kerberos on a Ubuntu 14.04 Server and nginx proxy to Naviserver for the Webservice to do that and get…
Sky
- 11
- 3
0
votes
1 answer
Tomcat SPNEGO authentication against Active Directory not working
I'm trying to authenticate against AD using the http://spnego.sourceforge.net component with tomcat.
I've created my SPN's "setspn.exe -A HTTP/servername SVCTomcat" & "setspn.exe -A HTTP/servername.fqdn.net SVCTomcat"
I've created my krb5.conf &…
Michael Henry
- 577
- 3
- 9
0
votes
0 answers
Windows Authentication with OpenID Connect (OIDC) with Active Directory (AD FS)?
This is NOT about Azure, but about an on-premises offline Microsoft Active Directory system, based on Windows 2016/2019.
Our website uses OpenID with Microsoft Active Directory, but we want the user to be logged in automatically (SPNEGO?), when…
Lars D
- 280
- 2
- 16