Configuring Kerberos across 2 domains?
843810Oct 27 2009 — edited Nov 5 2009Hi
I am trying to set up a 3rd party application to use Single Sign On using Kerberos authentication across two Domains and am having troubles. DOMAIN1.COM is a W2K domain and DOMAIN2 is a Citrix farm. My application is a Solaris (5.9) hosted Java app (1.4.2_08) running under a Weblogic 8.1.
I've generated the keytab files etc and can successfully authenticate using kinit. I can successfully sign in from my desktop when I configure my environment to use only just domain, either DOMAIN1.COM or DOMAIN2, but I am hitting this error when trying to authenticate with a user accouint on DOMAIN2 (it works fine for a user account on DOMAIN1):
...
<000000> <Found Negotiate with SPNEGO token>
*<000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))*
...
The application uses the JAAS login framework to perform the authentication. The steps I have followed are:
1. We have generated the keytab file for both domains and have tested that we can generate tickets using kinit command
2. When I start my WL server I am using the DOMAIN1.COM domain credentials i.e.
JAVA_OPTIONS="-ms1024m ...etc... -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=DOMAIN1.COM -Djava.security.krb5.kdc=ldap-domain1.com -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
3. I've configured my krb5Login.conf to use DOMIAN1.COM e.g.
com.sun.security.jgss.initiate
{
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/mydomain@DOMAIN1.COM" useKeyTab=true
keyTab=krb5.keytab storeKey=true debug=true;
};
com.sun.security.jgss.accept
{
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/mydomain.com@DOMAIN1.COM" useKeyTab=true
keyTab=krb5.keytab storeKey=true debug=true;
};
4. I've configured my /etc/krb5/krb5.conf to use DOMAIN2 as default.
[libdefaults]
default_realm=DOMAIN2
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
DOMAIN1.COM = {
kdc=ldap-domain1.com:88
admin_server=ldap-domain1.com
}
DOMAIN2 = {
kdc=kdc1.domain2:88
kdc=kdc2.domain2:88
admin_server=ADMINSERVER2
}
[domain_realm]
mydomain.com=DOMAIN2
[appdefaults]
kinit = {
renewable = true
forwardable= true
autologin = true
forward = true
encrypt = true
}
I am not a Java developer so this is all new to me so hopefully someone can give me some guidance. I've been told the reason I can't authenticate is because I don't have a trust relationship set up between the two domains. But our Active Directory team have stated that setting up a trust relationship is not an option.
The software supplier has said that the application should work across both domains without the trust relationship but they are unwilling to assist (as they have been paid already!). The way I have been led to understand it is that when we try and access the app over the DOMAIN2 the app should default to the default domain set in the /etc/krb5/krb5.conf file. Am I misguided? I don't understand how the JAAS login framework works with Kerberos and I would greatly appreciate some guidance on a possible config or code change I can make to resolve this issue?
Thanks