[jboss-user] [Security & JAAS/JBoss] - JBOSS Negotiate setup clarification with regards to Active D

dufferdo25 do-not-reply at jboss.com
Wed Jun 17 14:29:00 EDT 2009

Hello all,
I was wondering if I could get some clarification with regards to JBOSS Negotiate.
I am running JBOSS 5.1.0.GA and trying to incorporate the latest Negotiate component.
I have a win2k3 Active directory and want to verify the steps in the "how-to" , specifically Chapter 3 (ACtive Directory).

Let me summarize my setup first:

Domain= base.myco.com
Domain Controller= dc.base.myco.com
JBOSS is on Debian machine called jportal
JBOSS fqdn= jportal.base.myco.com

Now for the first step Server User Creation
I create a user called spnego-test who belongs to the Domain Users group.

Second step Service Account Mapping:
(This is where I have a question...the docs show the following:
setspn.exe -a host/testserver.kerberos.jboss.org testserver
setspn.exe -a HTTP/testserver.kerberos.jboss.org testserver

Now is testserver the user name or the server where jboss resides?)

Do I do the following?:
setspn.exe -a host/jportal.base.myco.com spnego-test
setspn.exe -a HTTP/jportal.base.myco.com spnego-test
jportal being my jboss machine and spnego-test being the user I created

Step 3: ktpass
docs show this:
ktpass -princ host/testserver at kerberos.jboss.org -pass * -mapuser KERBEROS\testserver 
-out C:\testserver.host.keytab

Do I do the following?:
ktpass -princ host/jportal at base.myco.com -pass * -mapuser DC.BASE.MYCO.COM\spnego-test -out C:\spnego-test.host.keytab

Step 4:
DOcs say to do the following: ktab -k c:\testserver.host.keytab -a testserver at KERBEROS.JBOSS.ORG

Do I do?:
ktab -k c:\spnego-test.host.keytab -a spnego-test at DC.BASE.MYCO.COM

Thanks for any help!

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4238319#4238319

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4238319

More information about the jboss-user mailing list