401 SPNEGO SSO with Linux client

I can’t manage to configure my Ubuntu VM to single sign-on on my Spring Security web application under Spnego. Did I do anything wrong or am I missing something?

I already got to SSO on a Windows 7 VM, so I believe it’s Linux specific.

My configuration is detailed below.

Infra

I have four machines that run in two different hardware:

WIN-SRV2008.company.local: the VM KDC running Windows Server 2008 (hardware A)
TOMCAT.company.local: running the Tomcat 7 web application (hardware A)
W7-CLIENT.company.local: VM Windows 7 client which SSO works (hardware B)
U-CLIENT.company.local: VM Ubuntu 17.10.1 client which SSO doesn’t work (hardware B)

SPN

My SPN, krb5.ini and login.conf were based on this thread’s description.

Spnego

I basically followed Spring Security Kerberos – Reference Documentation, except removing form login, resulting on:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${kerberos.service-principal}")
    private String servicePrincipal;

    @Value("${kerberos.keytab-location}")
    private String keytabLocation;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList(new RoleVoter(),new WebExpressionVoter()));
        http
            .authorizeRequests().accessDecisionManager(affirmativeBased)
            .anyRequest().authenticated()
            .and()
        .httpBasic()
            .authenticationEntryPoint(entryPoint())
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .and()
        .addFilterBefore(
                    spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                    BasicAuthenticationFilter.class)
        .sessionManagement()
        .invalidSessionUrl("/login")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .sessionRegistry(sessionRegistry());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider());
    }

    @Bean
    public SpnegoEntryPoint entryPoint() {
        return new SpnegoEntryPoint();
    }

    @Bean
    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        LoginKerberosAuthentication provider = new LoginKerberosAuthentication();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        client.setDebug(true);
        provider.setKerberosClient(client);
        provider.setUserDetailsService(usuarioDetailsService());
        return provider;
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
        AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    @Bean
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(sunJaasKerberosTicketValidator());
        provider.setUserDetailsService(usuarioDetailsService());
        return provider;
    }

    @Bean
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal(servicePrincipal);
        ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public UsuarioDetailsService usuarioDetailsService() {
        return new UsuarioDetailsService();
    }

Ubuntu client

To join the domain I followed the steps:

sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit

sudo realm join COMPANY.local -U 'administrator@COMPANY.LOCAL' -v

Until I got to generate kerberos ticket with:

kinit my_ubuntu_user@COMPANY.local

I actually checked cache with klist, that outputed:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my_ubuntu_user@COMPANY.local

Valid starting        Expires                Service principal
30/10/2018 17:25:47   31/10/2018 03:25:47    krbtgt/COMPANY.local@COMPANY.local
            renew until 31/10/2018 17:25:43

And lastly, I authenticated successfully using:

sudo su my_ubuntu_user@COMPANY.local

SSO – the problem

When I try to access my application homepage using Firefox (with trusted sites config) just as I do with the Windows 7 client, I only get the 401 Negotiate header and no response token is sent. Meaning that, when I input an actual url to SpnegoEntryPoint constructor, I get redirected to this fallback.

Thank you in advance

Answer

Thanks to Samson’s comment I was able to make it work.

I was indeed switching to an empty cache by doing sudo su my_ubuntu_user@COMPANY.local, what made my application login respond 401.

Advertisement

Answer