stackoom
  简体   繁体   中英

Spring + Kerberos + trusted domains

 原文  2017-11-23 07:29:29       java/ spring/ authentication/ active-directory/ kerberos

Question

I have 2 domains in Active Directory: domain A and domain B. There is a bidirectional trust set up between those domains. Domain A has a user A, domain B has a user B. Additionally domain A has a domain local security group called group A. User B is a member of group A.

What I want to achieve is to authenticate both users in domain A. So far I had no problems with authenticating user A in domain A and user B in domain B. Now I need to authenticate user B in domain A.

Is this doable in Java/Spring tech stack? My first try was with ActiveDirectoryLdapAuthenticationProvider from Spring Security, but then I checked that it uses simple ldap bind request, so I guess this is not doable with this provider.

Next I tried to use Kerberos (Spring Security Kerberos module), but again: I can authenticate user A in domain A and user B in domain B. No success when trying to authenticate user B in domain A. When I read some topics regarding cross-realm authentication in Kerberos, I can see solutions with two realms (each has its own KDC specified). This will work in a way that user B will be authenticated in domain B, which I want to avoid.

My krb5.conf: 

[libdefaults]
    default_realm = DOMAIN-A.COM
    default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
[realms]
    DOMAIN-A.COM = {
        kdc = domain-a.com
        admin_server = domain-a.com
    }
[domain_realm]
    .domain-a.com = DOMAIN-A.COM
    domain-a.com = DOMAIN-A.COM

Is there any way I can configure Kerberos (or maybe Configure Active Directory or KDC) to make it happen?

Or some completely another approach to this problem? Like something else than Kerberos?

1 answers

solution1
 0  2017-11-23 22:42:35

You're OK on the "User B is a member of the domain local security group A" part. But what I think is wrong is your krb5.conf doesn't contain any references to domain B. So it won't know where to go to validate the Kerberos ticket. See an MIT example of an krb5.conf containing two domains . If it still doesn't work after editing the krb5.conf according to the example please update your question with what the latest one looks like.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java AD Authentication across Trusted Domains Spring boot 2 kerberos Authentication Spring Boot trusted packages for rabbitmq Spring Kafka The class is not in the trusted packages spring Kafka model is not in the trusted packages Customize Spring Security for trusted space LDAP Java - Search for group membership across trusted domains Random Kerberos validation error with Spring Logout functionality in SSO spring kerberos Spring Security Kerberos chained with basic
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM