Kerberos Autologin

Frequently Asked Questions

Will SPNego work with HTTP proxies?

No and yes. To avoid difficulties, this manual recommends to disable proxy usage for the Stages server via browser configuration.

The problem is that the SPNego authentication headers might get modified or even be removed by a proxy. Furthermore a proxy has to take care of not sharing authenticated connections between several clients. There are proxy implementations which are capable of handling SPNego sessions correctly but in general we do not recommend proxy usage.

I have messed up my keytab file and need to recreate it. What do I have to do?

Ktpass will automatically map a SPN (service principal name) to the user account. Before you can call ktpass again, you have to remove this mapping manually.

Step 1: Check for Assigned SPNs

C:\temp>setspn -l pkit
Registered ServicePrincipalNames for
CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=methodpark,DC=de:
 HTTP/pkit.pkitbuild.er.methodpark.de
C:\temp>

Step 2: For each SPN, remove it

C:\temp>setspn -d HTTP/pkit.pkitbuild.er.methodpark.de pkit
Unregistering ServicePrincipalNames for CN=pkit,CN=Users,DC=pkitbuild,DC=er,DC=m
ethodpark,DC=de
 HTTP/pkit.pkitbuild.er.methodpark.de
Updated object
C:\temp>

I use URLs like http://localhost:8080 or http://stages:8080 , why do I have to use manual authentication?

Kerberos is a security protocol. For security reasons it is necessary to have a globally unique network identification. Both, localhost and abbreviated host names are not globally unique. For this reason you always have to use the FQDN (full qualified domain name).

How to determine the Kerberos Realm?

In an Active Directory environment the Kerberos Realm is equal to the Domain name of Windows. You can find the Domain name in System Control > System > Network Identification.

I get exceptions like “GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)”

  • There can be various reasons for this exception:
    • Check location and file system permissions of the keytab file and the paths to this file inside JAAS configuration file. You have to use forward slashes “/” for path separation.
    • The Stages SPN has to be unique inside the Active Directory
    • The Stages SPN has to match the domain name of the Stages server
    • Check the SPN case. It is case sensitive! The domain part has to be lower case and the realm part has to be upper case
    • Check if there is an inner exception with message “Clock skew too great”. You have to enable time synchronization on every computer. Really, on every, including Active Directory Server, Stages Server and Client computers. Usually a tolerance of up to 5 minutes is acceptable. Don’t forget to check time zone settings and en-/disable daylight saving support on every machine in the whole network.