Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--jetty-security/src/main/config/etc/README.spnego54
1 files changed, 2 insertions, 52 deletions
diff --git a/jetty-security/src/main/config/etc/README.spnego b/jetty-security/src/main/config/etc/README.spnego
index 8c413a59af..6bc2123290 100644
--- a/jetty-security/src/main/config/etc/README.spnego
+++ b/jetty-security/src/main/config/etc/README.spnego
@@ -11,7 +11,7 @@ The easiest place to put these lines are in the start.ini file.
For debugging the spengo authentication the following options are helpful:
-Dorg.eclipse.jetty.util.log.DEBUG=true
+-Dorg.eclipse.jetty.LEVEL=debug
-Dsun.security.spnego.debug=all
@@ -62,54 +62,4 @@ embedded, via the jetty.xml or in a context file for the webapp.
</Get>
-Important Configuration Files:
-
-spengo.properties - configures the user realm with runtime properties
-krb5.ini - configures the underlying kerberos setup
-spnego.conf - configures the glue between gssapi and kerberos
-
-It is important to note that the keytab file referenced in the krb5.ini and the spengo.conf files needs to
-contain the keytab for the targetName for the http server. To do this use a process similar to this:
-
-On the windows active domain controller run:
-
-> setspn -A HTTP/linux.mortbay.org ADUser
-
-To create the keytab file use the following process:
-
-> ktpass -out c:\dir\krb5.keytab -princ HTTP/linux.mortbay.org@MORTBAY.ORG -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
-
-This step should give you the keytab file which should then be copied over to the machine running this
-http server and referenced from the configuration files. For our testing we put the keytab into the etc
-directory of jetty and referenced it from there.
-
-Setting up your Browser:
-
-Firefox:
-
-* browse to about:config and agree to the warnings
-* search through to find the 'network' settings
-** set network.negotiate-auth.delegation-uris to http://,https://
-** set network.negotiate-auth.trusted-uris to http://,https://
-
-IE:
-
-* Tools -> Options -> Security -> Local Intranet -> Sites
-** make sure everything is checked here
-* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced
-** add url to server (http:// and/or https://) making sure to use the hostname
-* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -> Close
-* Tools -> Options -> Security -> Local Intranet -> Sites -> Ok
-* Tools -> Options -> Advanced -> Security (in the checkbox list)
-** locate and check 'Enable Integrated Windows Authentication'
-* Tools -> Options -> Advanced -> Security -> Ok
-* close IE then reopen and browse to your spengo protected resource
-
-NOTE: you must go to the hostname and not the IP, if you go to the IP it will default to NTLM authentication...the following conditions apply to having spnego work
-
-* Intranet Zone
-* Accessing the server using a Hostname rather then IP
-* Integrated Windows Authentication in IE is enabled, the host is trusted in Firefox
-* The Server is not local to the browser
-* The client's Kerberos system is authenticated to a domain controller
-
+8 \ No newline at end of file

Back to the top