Team,
I have a question on Single Sign On using Kerberos Authentication.
We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf .
We are facing the an error saying that "Cannot get credential for principal service HTTP/server1.SW.MAIL.COM@SW.MAIL.COM". Can someone help me in resolving the issue..?
Please post a comment if any additional information is required..
When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.
When I ran the command klist as per your input, I got the output as below
"Key table: /etc/krb5/pocsso.keytab
Number of entries: 1
[1.] principal: HTTP/server1.sw.mail.com@POC.MAIL.COM
KVNO: 12
"
UPDATE
.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1@POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM@POC.MAIL.COM
renew until 08/09/2014 16:15
Best Answer
Specify it only on the
Global security > SPNEGO web authentication
, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).UPDATE
In the filter definition you should have:
See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console
Minimal configuration in web.xml for Java EE security. And you have to have
Application Security
enabled in the server configuration, and mapped userRole to some users/groups from registry.