Kerberos Autologin

Frequently Asked Questions

Will SPNego work with HTTP proxies?

No and yes. To avoid difficulties, this manual recommends to disable proxy usage for the Stages server via browser configuration.

The problem is that the SPNego authentication headers might get modified or even be removed by a proxy. Furthermore a proxy has to take care of not sharing authenticated connections between several clients. There are proxy implementations which are capable of handling SPNego sessions correctly but in general we do not recommend proxy usage.

I have messed up my keytab file and need to recreate it. What do I have to do?

Ktpass will automatically map a SPN (service principal name) to the user account. Before you can call ktpass again, you have to remove this mapping manually.

Step 1: Check for Assigned SPNs

C:\temp>setspn -l pkit
Registered ServicePrincipalNames for
CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=methodpark,DC=de:
 HTTP/pkit.pkitbuild.er.methodpark.de
C:\temp>

Step 2: For each SPN, remove it

C:\temp>setspn -d HTTP/pkit.pkitbuild.er.methodpark.de pkit
Unregistering ServicePrincipalNames for CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=m
ethodpark,DC=de
 HTTP/pkit.pkitbuild.er.methodpark.de
Updated object
C:\temp>

I use URLs like http://localhost:8080 or http://stages:8080 , why do I have to use manual authentication?

Kerberos is a security protocol. For security reasons it is necessary to have a globally unique network identification. Both, localhost and abbreviated host names are not globally unique. For this reason you always have to use the FQDN (full qualified domain name).

How to determine the Kerberos Realm?

In an Active Directory environment the Kerberos Realm is equal to the Domain name of Windows. You can find the Domain name in System Control > System > Network Identification.

I get exceptions like “GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)”