Configuring Kerberos for SPNEGO (Java Kerberos only)

Kerberos authentication for SPNEGO is an alternative to configuring single sign-on using native Windows Authentication. Kerberos should only be configured if using Windows Authentication is not an option.

Configuring Kerberos for SPNEGO involves:

  • Creating a krb5.conf file to configure information for the Java GSSAuthenticator. This locates the Kerberos domain controller.
  • Creating and initalizing the krb5.keytab file. This file contains information needed by the GSSAuthenticator to validate the authenticity of communications from the Kerberos domain controller.
  • Invoking the kinit tool. This program initiates a session between the service principal (in this example, nexjsvr) and the Kerberos domain controller, allowing the Kerberos domain controller to trust requests from the application.

To configure Kerberos for SPNEGO:

  1. Create the directory WAS_HOME or JBOSS_HOME on your application server machine.
  2. Run the ktab command in %WAS_HOME%\spnego to create a keytab file with the server's service principal name and service user (e.g. nexjsvr) password:
    ktab -a HTTP/appServerHost.domain.ext -k %WAS_HOME%\spnego\krb5.keytab
    Important: Ensure that the path %WAS_HOME%\spnego\krb5.keytab has no spaces. If it does, copy krb5.keytab to a directory without spaces and adjust the entered path in these instructions accordingly.
  3. Verify that the keytab works by creating a temporary entry:
    ktab -a user@DOMAIN.EXT -k %WAS_HOME%\spnego\krb5.keytab
  4. View the keytab file to verify entries using the command:
    ktab -l
  5. Issue a kinit command:
    kinit -k -t krb5.keytab nexjsvr@DOMAIN.EXT
  6. Remove the temporary entry you created in step 3 by running the following command:
    ktab -d user@DOMAIN.EXT
  7. Create the Kerberos configuration file %WAS_HOME%\java\jre\lib\security\krb5.config, with the following content:
    [libdefaults]
        default_realm = DOMAIN.EXT
        default_keytab_name = FILE:%WAS_HOME%\spnego\krb5.keytab
        default_tkt_enctypes = rc4-hmac des-cbc-md5
        default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
        DOMAIN.EXT = {
                kdc = kdc_host.domain.ext:88
        }
[domain_realm]
        .domain.ext = DOMAIN.EXT
    Note: Domain names are case-sensitive. All DOMAIN.EXT values must be capitalized in the configuration.
    The following is an example Kerberos configuration file:
    [libdefaults]
        default_realm = NEXJSYSTEMS.LOCAL
        default_keytab_name = FILE:C:\java\websphere\AppServer\spnego
\krb5.keytab
        default_tkt_enctypes = rc4-hmac des-cbc-md5
        default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
        NEXJSYSTEMS.LOCAL = {
                kdc = nexj-prd-1.nexjsystems.local:88
        }
[domain_realm]
        .yourcompany.local = YOURCOMPANY.LOCAL

Kerberos is now configured to work with the SPNEGO negotiation mechanism.