File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss and the fly likes SPNEGO to JBoss 4.3.2 (with username different from hostname) Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Products » JBoss
Reply Bookmark "SPNEGO to JBoss 4.3.2 (with username different from hostname)" Watch "SPNEGO to JBoss 4.3.2 (with username different from hostname)" New topic
Author

SPNEGO to JBoss 4.3.2 (with username different from hostname)

manjusha gole
Greenhorn

Joined: Sep 24, 2011
Posts: 1
posted private message
0
Quote
Our web application deployed on JBoss 4.2.3 GA version is using SPNEGO security-negotiation-2.0.3.GA for single sign on to autheticate users with Active directory.

In this scenario, is it mandatory to create a user account with hostname of the server?


Setup details:
Windows 2003 R2 SP2 Active directory (KDC)
JBoss 4.3.2 GA on Linux 5.3 server
Windows XP 2002 SP3

The KDC domain is oxacmdc.com and the linux server host name is lnx53camdev6.

We have followed the steps given in the user guide and created keytab file ( we have created a user account with different name than the host name of linux server).

---commands executed on AD -----
setspn.exe -a host/lnx53camdev6.oxacmdc.com jbossuser

setspn.exe -a HTTP/lnx53camdev6.oxacmdc.com jbossuser

ktpass -princ host/lnx53camdev6@OXACMDC.COM -pass * -mapuser OXACMDC\jbossuser -ptype KRB5_NT_PRINCIPAL -out C:\lnx53camdev6.host.keytab

ktab -k c:\lnx53camdev6.host.keytab -a jbossuser@OXACMDC.COM

----output of setspn -l jbossuser----

Registered ServicePrincipalNames for CN=jbossuser,CN=Users,DC=oxacmdc,DC=com:

host/lnx53camdev6

HTTP/lnx53camdev6.oxacmdc.com

host/lnx53camdev6.oxacmdc.com



The negotiation toolkit tests (basic and host) are successful when launched them from Windows 2003 R2 SP2 and Windows XP client. We are able to access our web application from Windows 2003 R2 SP2 server machine successfully. But when we try to access our application from windows xp 2002 SP3 machine (with the same user logged in as that on windows server), we get HTTP 401 error - "This request requires HTTP authentication ()." The jboss server log reports following error:

2011-09-24 03:01:25,405 8120236 WARN [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-8643-2 Unsupported negotiation mechanism 'NTLM'.



Does anyone have any idea why it does not work on Windows XP? Does it require any specific hotfixes or patches?


Thanks.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SPNEGO to JBoss 4.3.2 (with username different from hostname)
 
Similar Threads
kerberos/spnego authentication without keytab file
SSO using SPNEGO in JBOSS 4.2.2
SSO using SPNego on Kerberos in JBoss 4.2.2
Weblogic 10.3.5 & Windows 2003 Active Directory NO User but Groups
Wrong java version!