Spengo + Tomcat 6.0 ( JRE 8.0 ) Configuration
1. Download & Copy "spnego.jar" to "C:\tomcat\lib"
2. Add the Following Statement to "C:\tomcat\conf\web.xml"
Reference Information of Tomcat web.xml – Spengo Configuration.
<filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class> <init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>krb5.conf</param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>login.conf</param-value> </init-param> <init-param> <param-name>spnego.preauth.username</param-name> <param-value>SPAdmin</param-value> </init-param> <init-param> <param-name>spnego.preauth.password</param-name> <param-value>P@ssw0rd</param-value> </init-param> <init-param> <param-name>spnego.login.server.module</param-name> <param-value>spnego-server</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> </filter> <filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> |
3. Create Text File "krb5.conf" and "login.conf" on the root of "C:\tomcat" Folder.
4. Execute the Following Statement to Assign the Access Right on Spengo Service Account for Kerberos Authentication.
Register the SPN on Service Account – "SPAdmin" for Kerberos Authentication
setspn.exe -A HTTP/vmw12005 SPAdmin
setspn.exe -A HTTP/vmw12005.deisler.com SPAdmin
setspn.exe -A HTTP/intranet SPAdmin
setspn.exe -A HTTP/intranet.deisler.com SPAdmin
List the Service Account SPN – "SPAdmin"
setspn.exe -L SPAdmin
Role Description of above Host Name & Host Name Alias.
– SPAdmin : ( Spengo Service Account )
– vmw08001 : ( Workstation )
– vmw12005 : ( Tomcat Application Server )
– intranet : ( Tomcat Application Server Alias )
– deisler.com : ( Active Directory )
Command To Generate KeyTab File
1. ktpass -out C:\test\test.keytab -princ HTTP/vmser007.deisler.com@deisler.com
-mapuser LCAdmin@DEISLER.COM -mapOp set -pass Pa22w0rd
2. ktab -a LCAdmin@DEISLER.COM -k C:\TEST\test.keytab
List KeyTab File Entry
1. ktab -l -k C:\test\test.keytab
krb5.conf |
|
login.conf |
|
The Above Configuration Guide is Reference From – Configuring Tomcat for Windows Integrated Authentication .
Setting the Service Principal Name for Kerberos Authentication