diff options
-rw-r--r-- | jetty-security/src/main/config/etc/README.spnego | 54 |
1 files changed, 2 insertions, 52 deletions
diff --git a/jetty-security/src/main/config/etc/README.spnego b/jetty-security/src/main/config/etc/README.spnego index 8c413a59af..6bc2123290 100644 --- a/jetty-security/src/main/config/etc/README.spnego +++ b/jetty-security/src/main/config/etc/README.spnego @@ -11,7 +11,7 @@ The easiest place to put these lines are in the start.ini file. For debugging the spengo authentication the following options are helpful: -Dorg.eclipse.jetty.util.log.DEBUG=true +-Dorg.eclipse.jetty.LEVEL=debug -Dsun.security.spnego.debug=all @@ -62,54 +62,4 @@ embedded, via the jetty.xml or in a context file for the webapp. </Get> -Important Configuration Files: - -spengo.properties - configures the user realm with runtime properties -krb5.ini - configures the underlying kerberos setup -spnego.conf - configures the glue between gssapi and kerberos - -It is important to note that the keytab file referenced in the krb5.ini and the spengo.conf files needs to -contain the keytab for the targetName for the http server. To do this use a process similar to this: - -On the windows active domain controller run: - -> setspn -A HTTP/linux.mortbay.org ADUser - -To create the keytab file use the following process: - -> ktpass -out c:\dir\krb5.keytab -princ HTTP/linux.mortbay.org@MORTBAY.ORG -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL - -This step should give you the keytab file which should then be copied over to the machine running this -http server and referenced from the configuration files. For our testing we put the keytab into the etc -directory of jetty and referenced it from there. - -Setting up your Browser: - -Firefox: - -* browse to about:config and agree to the warnings -* search through to find the 'network' settings -** set network.negotiate-auth.delegation-uris to http://,https:// -** set network.negotiate-auth.trusted-uris to http://,https:// - -IE: - -* Tools -> Options -> Security -> Local Intranet -> Sites -** make sure everything is checked here -* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -** add url to server (http:// and/or https://) making sure to use the hostname -* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -> Close -* Tools -> Options -> Security -> Local Intranet -> Sites -> Ok -* Tools -> Options -> Advanced -> Security (in the checkbox list) -** locate and check 'Enable Integrated Windows Authentication' -* Tools -> Options -> Advanced -> Security -> Ok -* close IE then reopen and browse to your spengo protected resource - -NOTE: you must go to the hostname and not the IP, if you go to the IP it will default to NTLM authentication...the following conditions apply to having spnego work - -* Intranet Zone -* Accessing the server using a Hostname rather then IP -* Integrated Windows Authentication in IE is enabled, the host is trusted in Firefox -* The Server is not local to the browser -* The client's Kerberos system is authenticated to a domain controller - +8
\ No newline at end of file |