• Autologin System Design
• System Requirements
• Deployment Guide
• Frequently Asked Questions (FAQs)
  • Will SPNego work with HTTP proxies?
    • No and yes. To avoid difficulties, this manual recommends to disable proxy usage for the Stages server via browser configuration.
    • The problem is that the SPNego authentication headers might get modified or even be removed by a proxy. Furthermore a proxy has to take care of not sharing authenticated connections between several clients. There are proxy implementations which are capable of handling SPNego sessions correctly but in general we do not recommend proxy usage.
  • I have messed up my keytab file and need to recreate it. What do I have to do?
    • Ktpass will automatically map a SPN (service principal name) to the user account. Before you can call ktpass again, you have to remove this mapping manually.
      • Step 1: Check for assigned SPNs

C:\temp>setspn -l pkit
Registered ServicePrincipalNames for
CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=methodpark,DC=de:
 HTTP/pkit.pkitbuild.er.methodpark.de
C:\temp>

• Step 2: For each SPN, remove it:

C:\temp>setspn -d HTTP/pkit.pkitbuild.er.methodpark.de pkit
Unregistering ServicePrincipalNames for CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=m
ethodpark,DC=de
 HTTP/pkit.pkitbuild.er.methodpark.de
Updated object
C:\temp>

• I use URLs like “http://localhost:8080” or “http://stages:8080”, why do I have to use manual authentication?
  • Kerberos is a security protocol. For security reasons it is necessary to have a globally unique network identification. Both, localhost and abbreviated host names are not globally unique. For this reason you always have to use the FQDN (full qualified domain name).
• How to determine the Kerberos Realm?
  • In an Active Directory environment the Kerberos Realm is equal to the Domain name of Windows.
  • You can find the Domain name in System Control > System > Network Identification.
• I get exceptions like “GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)”
  • There are various reasons for this exception: Autologin Guide.doc 05.05.2015 23 - 24 
  • Check location and file system permissions of the keytab file and the paths to this file inside JAAS configuration file. You have to use forward slashes “/” for path separation.
  • The Stages SPN has to be unique inside the Active Directory
  • The Stages SPN has to match the domain name of the Stages server
  • Check the SPN case. It is case sensitive! The domain part has to be lower case and the realm part has to be upper case
  • Check if there is an inner exception with message “Clock skew too great”. You have to enable time synchronization on every computer. Really, on every, including Active Directory Server, Stages Server and Client computers. Usually a tolerance of up to 5 minutes is acceptable. Don’t forget to check time zone settings and en-/disable daylight saving support on every machine in the whole network.

• Windows Tools and Support
  • The Windows Support Tools are located on every server installation CD, but with some versions of Windows they are not installed by default. Please search for a file named “suptools.msi” and install it. The installer package will depend on another file called “support.cab” inside the same directory.
    • Ktpass.exe
      • Ktpass is a Kerberos utility to create keytab files. Please see chapter 1.3.2 for an example.
    • Setspn.exe
      • With setspn.exe you can list and delete SPN (service principal names) assigned with ktpass.exe. Please see section 1.4.22 of the FAQ for an example on how to use this utility.
    • Ldp.exe
      • Ldp is an LDAP browser useful for evaluating the content of an LDAP directory.
    • Windows Resource Tools – Kerbtray
      • Kerbtray is useful to display ticket information for a given computer running the Kerberos protocol. It can be downloaded from http://download.microsoft.com. Use the search facility and search for the keyword “Kerbtray”.