Skip to main content
diff options
authorJesse McConnell2012-02-21 09:40:20 -0500
committerJesse McConnell2012-02-21 09:40:20 -0500
commitc771766aae27d2a76c375361a694099285360aae (patch)
treec20c2a59bd69c7540b884d08b202067561379c97 /jetty-security/src
parentc06df6cbbdae8b09db041b33e12dfb8e17d1461e (diff)
updates to spnego doc
Diffstat (limited to 'jetty-security/src')
1 files changed, 2 insertions, 52 deletions
diff --git a/jetty-security/src/main/config/etc/README.spnego b/jetty-security/src/main/config/etc/README.spnego
index 8c413a59af..6bc2123290 100644
--- a/jetty-security/src/main/config/etc/README.spnego
+++ b/jetty-security/src/main/config/etc/README.spnego
@@ -11,7 +11,7 @@ The easiest place to put these lines are in the start.ini file.
For debugging the spengo authentication the following options are helpful:
@@ -62,54 +62,4 @@ embedded, via the jetty.xml or in a context file for the webapp.
-Important Configuration Files:
- - configures the user realm with runtime properties
-krb5.ini - configures the underlying kerberos setup
-spnego.conf - configures the glue between gssapi and kerberos
-It is important to note that the keytab file referenced in the krb5.ini and the spengo.conf files needs to
-contain the keytab for the targetName for the http server. To do this use a process similar to this:
-On the windows active domain controller run:
-> setspn -A HTTP/ ADUser
-To create the keytab file use the following process:
-> ktpass -out c:\dir\krb5.keytab -princ HTTP/ -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
-This step should give you the keytab file which should then be copied over to the machine running this
-http server and referenced from the configuration files. For our testing we put the keytab into the etc
-directory of jetty and referenced it from there.
-Setting up your Browser:
-* browse to about:config and agree to the warnings
-* search through to find the 'network' settings
-** set network.negotiate-auth.delegation-uris to http://,https://
-** set network.negotiate-auth.trusted-uris to http://,https://
-* Tools -> Options -> Security -> Local Intranet -> Sites
-** make sure everything is checked here
-* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced
-** add url to server (http:// and/or https://) making sure to use the hostname
-* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -> Close
-* Tools -> Options -> Security -> Local Intranet -> Sites -> Ok
-* Tools -> Options -> Advanced -> Security (in the checkbox list)
-** locate and check 'Enable Integrated Windows Authentication'
-* Tools -> Options -> Advanced -> Security -> Ok
-* close IE then reopen and browse to your spengo protected resource
-NOTE: you must go to the hostname and not the IP, if you go to the IP it will default to NTLM authentication...the following conditions apply to having spnego work
-* Intranet Zone
-* Accessing the server using a Hostname rather then IP
-* Integrated Windows Authentication in IE is enabled, the host is trusted in Firefox
-* The Server is not local to the browser
-* The client's Kerberos system is authenticated to a domain controller
+8 \ No newline at end of file

Back to the top