I'm running an instance of the Kerby (MIT Kerberos Java implementation) on a Linux machine. I have a web application running on a Windows machine. The web application is secured using Spring Security Kerberos (following the steps described in this article).
Per the Kerberos protocol description for client authentication on wikipedia, step 1 is
- The client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user.
The client (in my case) is a web browser. How does the web browser know where the Authentication Server is? I don't see any mention of that in the article or in its referenced code. Is it part of the keytab that is exported from the KDC for the service principal name (SPN)?
Spring Security Keberos uses SPNEGO protocol to get the service token (see section 3 in the referenced article). It 'instructs' the user-agent to get the service token. The user-agent will then use the OS libs to retrieve it. The OS knows where the KDC is located (*nix krb5.conf, Windows domain/AD membership). A keytab can be used to authenticate a client to the KDC, Spring Security Keberos docs. It seems that Spring is leveraging the krb5.conf file of the OS as it does not allow to specify the KDC. You should always first set up the OS Kerberos client on the host where your web app is deployed and test authentication using the keytab file via kinit