[jboss-user] [Security & JAAS/JBoss] - Clustered SSO with SPNEGO/KERBEROS

j_ri do-not-reply at jboss.com
Thu Jan 18 07:18:10 EST 2007 

Hello!

I have my own Authenticator for Tomcat and my own LoginModule supporting SPNEGO/KERBEROS.

In a non-clustered environment everything works fine, but if I have a clustered and configured Clustered SSO in Tomcat I run into Problems. If one of the cluster-nodes dies, the loadbalancer routes the request from the browser to another node in the cluster. The Problem is that the second clusternode tries to reauthenticate the cached credentials. Since the original login can be a certain amount of time before the reauthentication the cached credentials (=KERBEROS-Ticket) are not valid any more. So KERBEROS throws a "clock skew too great" error. 

In the Tread http://www.jboss.com/index.html?module=bb&op=viewtopic&t=68777&postdays=0&postorder=asc&start=10 it is written:

anonymous wrote : It feels to me that in order to support true enterprise authentication (along with the already good clustered session support) a clustered aware authentication service would need to be developed. That while a Principal may not be able to be replicated, the underlying credentials in their various forms can. You also know when users authenticate and log off. It seems to me that this service could use these authentication events along with the underlying credential data to synchronously recreate a Principal on each node upon login, and clean up upon logoff. I suppose this creation could be deferred as long as you're willing to store the credential info and original authenticator mapping forever.

According to this it's obvious that my error is happening. But wht is the solution?
One idea could be to to turn up the "clockskew" in the krb5.conf to a whole day.
Another is to use a custom principal which is serializable and to store that in my (replicated)session to see if a user is already authenticated. But I don't know how difficult it is to intagrate this idea into my SPNEGOAuthenticator.

Any better (or easier) ideas?

Thanks
Jochen

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4003271#4003271

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4003271

More information about the jboss-user mailing list