single-sign-onkerberosspnegontlm-authenticationntlmv2

Do we require a keytab entry for all AD users for kerberos based authentication?


I have a web application deployed on jboss. As of now we have implemented NTLMHttpFilter provided by https://www.jcifs.org/. As this java filter supports only NTLMV1, now i need to update my authentication to kerberos based authentication to support kerberos using spnego, but i still not sure, do i have to generate a keytab file for all existing application user. if yes how do i update keytab password every time when user update its windows password? Also Please let me know the keytab location for Service account and user account ?My intention here is providing a promptless sso feature using integrated windows authentication.


Solution

  • You only need a keytab file for the service account of your application, not for every user. The user requests a service ticket for the application from the KDC.