-
Notifications
You must be signed in to change notification settings - Fork 7
/
README
78 lines (53 loc) · 3 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
SPNEGO Servlet + Microsoft PAC demo
===================================
Introduction
============
This project demonstrates the use of the filter found at[1] as a simple HttpServlet using Jetty. So be sure to read their docs (especially their pre-flight routine).
In addition it also demonstrate the use of the PAC parser found at[2] to parse the PAC information found in an Active Directory (or Samba 4) issued Kerberos ticket[3]. This contains authorization information about the authenticated user principal (think: group information in the form of SID etc.).
[1] http://spnego.sourceforge.net
[2] http://jaaslounge.sourceforge.net/
[3] http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html
Used Settings
=============
Hostname: example.com
SPN: HTTP/example.com
Domain username: Zeus
Domain username password: Z3usP@55
/etc/krb5.conf:
-->8--snip-->8--snip-->8---
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = adserver.example.com
default_domain = EXAMPLE.COM
kpasswd_server = adserver.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
-->8--snip-->8--snip-->8---
Browser configuration:
1) IE: Add example.com to the "Local intranet" zone. For this, click the Settings Gear in IE->Internet Options->Security->Local intranet->Sites->Advanced. Then add "http://example.com"
2) Google-chrome:
* On Windows: Use the IE configuration steps above; or
* On Linux (or Windows): start from command line with: google-chrome --auth-server-whitelist="*example.com" --auth-negotiate-delegate-whitelist="*example.com"
3) Firefox: go to about:config, "say you'll be careful", change the value for 'network.negotiate-auth.trusted-uris' into 'https://,http://example.com' and the value for 'network.negotiate-auth.delegation-uris' into 'http://example.com'
Build/Run Instructions
======================
Build/run using: mvn jetty:run (and have a cup of tea (coffee), if you happen to have an empty local maven repo)
Available Servlets
==================
1) http://example.com:8080/filtered/spnego
Shows how to use the forked spnego-pac filter to authenticate users against a Kerberos (i.e. Active Directory) and how to read the logon info (PAC, e.g. group SID) from the authenticated principal (for kerberos tickets issues by Active Directory, Samba v4).
2) http://example.com:8080/spnego
Works like 1) but exposes the underlying code in a single file (for people who like to know how it works).
Notes
=====
1) If your client is on a POSIX platform (Linux, etc.), be sure to run 'kinit' first, otherwise you will not be able to authenticate and the browsers won't tell you what is happening.
2) In Windows you cannot run the server and the client on the same host, because Windows will try to use NTLM then, which you don't want because it's insecure.
3) There are probably more caveats that I now fail to remember/mention, sorry about that.