I'm trying to follow this tutorial for spring-security-kerberos
I have a keytab with one principal in it:
ktutil: rkt http-web.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM
This keytab was generated on a the win 2k8 domain controller with this command:
ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM /pass *
which was coppied over the the test web server used in spnego.xml:
<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM" />
<property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
<property name="debug" value="true" />
</bean>
but fails to find the principal:
Key for the principal HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM not available in
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read… same response. I also tried lots of variants on uppercase and lowercaseing the names.
ps checked it out from git this morning.
Best Answer
There're several mistakes that lead to "Unable to obtain password from user":
classpath:http-web.keytab
orfile:c:/http-web.keytabl