[Yes, there are people on this list...] On 7/11/2012 3:50 AM, [email protected] wrote: > Hello, > > I am currently running a Spring application on Centos in a VirtualBox VM > hosted on Windows 7 and am trying to implement Kerberos ActiveDirectory > pre-authentication as in this example: > > http://blog.springsource.org/2009/09/28/spring-security-kerberos/ > > I would like to create a Kerberos service principal, using a "virtual" full > qualified domain name, eg > > HTTP/[email protected] > > By "virtual", I mean that the "centos1.mycompany.com" is not known by the > company DNS or ActiveDirectory, > because it only exists within the VM.
But you refer to the realm of centos1.mycompany.com in the principal too, and I assume what you want to do is use your existing AD as the KDC, and get your AD admins to add the principal to AD. Thus you have to use the AD domain name (in upper case) in the principal. > > I have the following questions: > > - can you use Kerberos to authenticate users connecting to a web application > running in a virtual machine? Yes. > > - will the above service principal work, although the machine's hostname only > exists within the VM? Well, both the client and the server have to agree on the principal name, and DNS is usually used, but /etc/hosts on both sides can also be used to do the mapping. Since you are using HTTP, the browser has to be able to map the hostname from a URL to an IP and use the hostname in a principal, and the web server has to be runninp at that IP, and has to know that the it is running as the hostname. The KDC really does not care what host name you used, as long as the principal is unique. within the realm. > > - is "centos1.mycompany.com" a good service principal, or do I need to create > an SP such as I would say no, as someone else might use the same name on their VM. You don't have to use your company name here either. > > "web.centos1.mycompany.com"? Keep it unique if possible, as you may want to add it to DNS. Better still add it to DNS now, it might be easier in the long run. > > Many thanks. > > Best regards, > > Philroc > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
