I try to use Spnego with Finatra web server but I don't succeed.
Here my GitHub project: https://github.com/glegoux/spnego-server-finatra
With wireshark:
error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
My server log:
...
Debug is true
storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null
isInitiator false KeyTab is /tmp/spnego-server.keytab
refreshKrb5Config is true principal is HTTP/[email protected]
tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
principal is HTTP/[email protected]
Will use keytab
Commit Succeeded
Found KeyTab /tmp/spnego-server.keytab for HTTP/[email protected]
Found KeyTab /tmp/spnego-server.keytab for HTTP/[email protected]
Found KeyTab /tmp/spnego-server.keytab for HTTP/[email protected]
Found KeyTab /tmp/spnego-server.keytab for HTTP/[email protected]
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 03 be 30 82 03 ba ...
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.5.2.5
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext.acceptSecContext: mechanism wanted = null
SpNegoContext.acceptSecContext: negotiated result = REJECT
SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
SpNegoContext.acceptSecContext: sending token = a1 07 30 05 a0 03 0a 01 02
The underlying mechanism context has not been initialized
[UnboundedFuturePool-2] INFO SpnegoFilter - Client principal: null
...
When I check my credentials, and don't have Ticket Granting-Service (TGS) for HTTP/[email protected]:
$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
24/06/2018 21:17:20 25/06/2018 07:17:20 krbtgt/[email protected]
renew until 25/06/2018 21:17:18, Flags: FPRIA
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
spnego-server keytab:
klist -kte /tmp/spnego-server.keytab
Keytab name: FILE:/tmp/spnego-server.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/25/18 06:27:43 HTTP/[email protected] (des3-cbc-sha1)
Do you know why?
It works ;). I fixed post but HTTP/[email protected] is correct for principal name, before it was HTTP/[email protected] without
.example.comsuffix.