Versions Compared

Old Version 16

changes.mady.by.user user-78f34

Saved on

compared with

New Version Current

changes.mady.by.user user-78f34

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ktpass -princ HTTP/tst2srv01-2016.xy-hospital.xy@XY-HOSPITAL.XY 
-mapuser custoKerberos@xy-hospital.xy 
-crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL 
-pass custosecretPW! -out "C:\Program Files\custo diagnostic server\conf\tomcat.keytab"

...

Replace / Edit krb5.ini and jaas.conf file, located in your ...\custo diagnostic server\conf Directory


krb5.ini (Downlaod krb5.ini)

Code Block
[libdefaults]
  debug = true
  default_realm = XY-HOSPITAL.XY
  dns_lookup_kdc = false
  default_keytab_name = FILE:C:\Program Files\custo diagnostic server\conf\tomcat.keytab
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
 

[realms]
  XY-HOSPITAL.XY = {
    #
    # Specify your Domain Controller here
    kdc = tst2dc01.xy-hospital.xy
    admin_server = tst2dc01.xy-hospital.xy
    default_domain = xy-hospital.xy
} 



[domain_realm]
.xy-hospital.xy = XY-HOSPITAL.XY

 

[login]
krb4_convert = true
krb4_get_tickets = false


jaas.conf (doanload jaas.conf)

We attached the file to download it for you. Please do not use copy/paste from the code below - use the files attached to this website.

Attention !

principal Name must be IDENTICAL (case sensitive) to the principal Name used with ktpass

Be aware of forward slahes in file Name

Code Block
Code Block
# Attention!
# principal Name must be IDENTICAL (case sensitive) to the principal Name used with ktpass
# Be aware of forward slahes in file Name
# 2020-02-04, FHo

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/tst2srv01-2016.xy-hospital.xy@XY-HOSPITAL.XY"
    useKeyTab=true
    keyTab="C:/Program Files/custo diagnostic server/conf/tomcat.keytab"
    storeKey=true;
};

 

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/tst2srv01-2016.xy-hospital.xy@XY-HOSPITAL.XY"
    useKeyTab=true
    keyTab="C:/Program Files/custo diagnostic server/conf/tomcat.keytab"
    storeKey=true;
};

...

As the last step, please restart the custo diagnostic server now.


Please do do your test on a normal pc - NOT using an administrator/special account. Use a normal domain account.

If everything works and the logged in windows user is allowed to use custo diagnostic then this command should return "true".


Debugging & Testing

First check whether the LDAP works. Switch back to "LDAP" login-method, and check whether the test-user can login with windows password.
Switch back to Kerberos/Remote-Login-Method to go ahead.

For testing Kerberos authentication without using the custo manager, you can use the curl utility that is installed in the same folder as the custo diagnostic client:

curl -u : --negotiate http://localhost:8080/diag/rest/v1/user/kerberos/test

or

curl -u : -vvvv --negotiate http://localhost:8080/diag/rest/v1/user/kerberos/test


You can add the following switches to the Java command line (via Configure custo diagnostic server in Startmenu):

-Dsun.security.krb5.debug=true
-Dsun.security.spnego.debug=true

After restarting Tomcat, you will find logging information in stdout and stderr files in the <custo diagnostic server installation directory>/logs directory 

...