Hi Booker, The Pre Auth log is related to kinit -k -t /http-web.keytab
and not related to actual web based request. Regards, Miten. ________________________________ From: miten mehta <[email protected]> To: Booker Bense <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Tuesday, October 9, 2012 10:48 AM Subject: Re: kerberos / spnego Hi Booker, I am using Internet Explorer 9 and assume it should be configured already for spnego. The webapp as such has to do some auth prompting so I guess it starts out dong jaas based basic auth. I am just following pretty much the article at spring security and their samples. http://blog.springsource.org/2009/09/28/spring-security-kerberos/ http://git.springsource.org/spring-security/se-security/trees/4f00f949bc13fd1588dda0053be35a55fd4fe93f/spring-security-kerberos/spring-security-kerberos-sample/src I as such have kerberos working fine for ssh, rsh etc. Regards, Miten. ________________________________ From: Booker Bense <[email protected]> To: miten mehta <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Monday, October 8, 2012 7:44 PM Subject: Re: kerberos / spnego On Mon, Oct 8, 2012 at 5:21 AM, miten mehta <[email protected]> wrote: > Hi, > > I have attempted kerberos for SSO for web app using spring-security and have > doubts. would appreciate if one can take look at my post here and advise. > > http://forum.springsource.org/showthread.php?130775-spring-security-spnego-kerberos-sso&p=426585#post426585 > If the software is really capable of doing SPENGO, you should never need to enter your password into the web application. That's the whole point. Most browsers need some configuration tweaks to enable SPENGO, I think only Explorer will do it out of the box. If the web app has a valid keytab and support for SPENGO, it should never need to talk to the KDC. It looks like what is really happening is that the software is attempting to use some form of basic auth where it requests a username/password and uses kerberos to verify the password. The error message you are seeing suggests that the kerberos library it's using doesn't have proper support for PRE-AUTH ( old version of Java?) If you want support for kerberos in Java, you should be using at least 1.6. Most prior versions have very broken kerberos support. If you're willing to live with username/pw on the web application, then you'll likely have better luck using LDAP rather than kerberos. - Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
