Problem with kerberos iis authentication in spring boot application on windows

Question

i'a trying to deploy my jar spring boot application on windows but get error : [Krb5LoginModule] authentication failed KrbException: Cannot locate default realm

In my localhost, everything is OK with the authentication but whene i deploy the jar in the production server i got the error even if both windows are in the same campany doamin.

the system administrator told me that for other application, the authentication is based on Kerberos and iis so the ticket exchange for authentication is very easy.

Here's my security config :

 @Bean
    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider =
                new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        client.setDebug(true);
        provider.setKerberosClient(client);
        provider.setUserDetailsService(dummyUserDetailsService());
        return provider;
    }

    @Bean
    public SpnegoEntryPoint spnegoEntryPoint() {
        //return new SpnegoEntryPoint("/login");
        return new SpnegoEntryPoint();
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter =
                new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    @Bean
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
        KerberosServiceAuthenticationProvider provider =
                new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(sunJaasKerberosTicketValidator());
        provider.setUserDetailsService(dummyUserDetailsService());
        return provider;
    }
    

    

    @Bean
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
        SunJaasKerberosTicketValidator ticketValidator =
                new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal("HTTP/[email protected]");
  
        ticketValidator.setKeyTabLocation(new 
    FileSystemResource("c:\\user\\tomcat.keytab"));
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    public DummyUserDetailsService dummyUserDetailsService() {
        return new DummyUserDetailsService();
    }

I don't know if i have to specify the keytab file because on windows no keytab or kb5.conf file is needed so the c:\user\tomcat.keytab file is empty.

Can someone help me with this please

Answer 1

You will need a Keytab file.
Keytab file contains keys which are required by kerberos module to decrypt the incoming kerberos token.

Keytab file is not out of the box present as it is specific to a user account in AD.
It has to be generated by your system admin and give it to you. You will need a service user (dedicated for your application). Generate keytab for it.
Copy it on your application server and specify its path in spring.

Check ktpass command on windows for more details about creating keytab.
You may also need to check for krb5 conf file, what it contains and how you can specify it inside Spring.