documentation/9.3.28.v20191105/spnego-support.html - www.eclipse.org/jetty - Git at Google

 <html><head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Spnego Support</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-security.html" title="Chapter&nbsp;7.&nbsp;Configuring Security"><link rel="prev" href="jaas-support.html" title="JAAS Support"><link rel="next" href="configuring-jsp.html" title="Chapter&nbsp;8.&nbsp;Configuring JSP Support"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
       hljs.initHighlightingOnLoad();
     </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
             Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Spnego Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="jaas-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;7.&nbsp;Configuring Security<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
           <span class="website">www.webtide.com</span></a></h5><p>
  private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
  scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
       </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="spnego-support"></a>Spnego Support</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="spnego-support.html#_configuring_jetty_and_spnego">Configuring Jetty and Spnego</a></span></dt><dt><span class="section"><a href="spnego-support.html#_configuring_firefox">Configuring Firefox</a></span></dt><dt><span class="section"><a href="spnego-support.html#_configuring_internet_explorer">Configuring Internet Explorer</a></span></dt></dl></div><p>Simple and Protected GSSAPI Negotiation Mechanism (Spnego) is a way for users to be seamlessly authenticated when running on a Windows or Active Directory based network.
 Jetty supports this type of authentication and authorization through the JDK (which has been enabled since the later versions of Java 6 and 7).
 Also important to note is that this is an <span class="emphasis"><em>incredibly</em></span> fragile setup where everything needs to be configured just right for things to work, otherwise it can fail in fun and exciting, not to mention obscure, ways.</p><p>There is a substantial amount of configuration and testing required to enable this feature as well as knowledge and access to central systems on a Windows network such as the Active Domain Controller and the ability to create and maintain service users.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_jetty_and_spnego"></a>Configuring Jetty and Spnego</h3></div></div></div><p>To run with Spengo enabled the following command line options are required:</p><div class="screenexample"><pre class="screen">-Djava.security.krb5.conf=/path/to/jetty/etc/krb5.ini \
 -Djava.security.auth.login.config=/path/to/jetty/etc/spnego.conf \
 -Djavax.security.auth.useSubjectCredsOnly=false</pre></div><p>For debugging the Spengo authentication the following options are very helpful:</p><div class="screenexample"><pre class="screen">-Dorg.eclipse.jetty.LEVEL=debug \
 -Dsun.security.spnego.debug=all</pre></div><p>Spengo Authentication must be enabled in the webapp in the following way.
 The name of the role will be different for your network.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> &lt;security-constraint&gt;
    &lt;web-resource-collection&gt;
      &lt;web-resource-name&gt;Secure Area&lt;/web-resource-name&gt;
      &lt;url-pattern&gt;/secure/me/*&lt;/url-pattern&gt;
    &lt;/web-resource-collection&gt;
    &lt;auth-constraint&gt;
      &lt;!-- this is the domain that the user is a member of --&gt;
      &lt;role-name&gt;MORTBAY.ORG&lt;/role-name&gt;
    &lt;/auth-constraint&gt;
  &lt;/security-constraint&gt;
  &lt;login-config&gt;
    &lt;auth-method&gt;SPNEGO&lt;/auth-method&gt;
    &lt;realm-name&gt;Test Realm&lt;/realm-name&gt;
    &lt;!-- optionally to add custom error page --&gt;
    &lt;spnego-login-config&gt;
      &lt;spengo-error-page&gt;/loginError.html?param=foo&lt;/spnego-error-page&gt;
    &lt;/spnego-login-config&gt;
  &lt;/login-config&gt;</code></pre><p>A corresponding <code class="literal">UserRealm</code> needs to be created either programmatically if embedded, via the <code class="literal">jetty.xml</code> or in a context file for the webapp.</p><p>This is what the configuration within a Jetty xml file would look like.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>  &lt;Call name="addBean"&gt;
      &lt;Arg&gt;
        &lt;New class="org.eclipse.jetty.security.SpnegoLoginService"&gt;
          &lt;Set name="name"&gt;Test Realm&lt;/Set&gt;
          &lt;Set name="config"&gt;&lt;Property name="jetty.home" default="."/&gt;/etc/spnego.properties&lt;/Set&gt;
        &lt;/New&gt;
      &lt;/Arg&gt;
    &lt;/Call&gt;</code></pre><p>This is what the configuration within a context xml file would look like.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> &lt;Get name="securityHandler"&gt;
    &lt;Set name="loginService"&gt;
      &lt;New class="org.eclipse.jetty.security.SpnegoLoginService"&gt;
        &lt;Set name="name"&gt;Test Realm&lt;/Set&gt;
        &lt;Set name="config"&gt;
         &lt;SystemProperty name="jetty.home" default="."/&gt;/etc/spnego.properties
       &lt;/Set&gt;
      &lt;/New&gt;
    &lt;/Set&gt;
    &lt;Set name="checkWelcomeFiles"&gt;true&lt;/Set&gt;
  &lt;/Get&gt;</code></pre><p>There are a number of important configuration files with S3pnego that are required. The default values for these configuration files from this
 test example are found in the <code class="literal">/etc</code> folder of the Jetty distribution.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">spnego.properties</span></dt><dd>configures the user realm with runtime properties</dd><dt><span class="term">krb5.ini</span></dt><dd>configures the underlying kerberos setup</dd><dt><span class="term">spnego.conf</span></dt><dd>configures the glue between gssapi and kerberos</dd></dl></div><p>It is important to note that the keytab file referenced in the <code class="literal">krb5.ini</code> and the <code class="literal">spengo.conf</code> files needs to contain the keytab for the <code class="literal">targetName</code> for the http server.
 To do this use a process similar to this:</p><p>On the Windows Active Domain Controller run:</p><div class="screenexample"><pre class="screen">$ setspn -A HTTP/linux.mortbay.org ADUser</pre></div><p>To create the keytab file use the following process:</p><div class="screenexample"><pre class="screen">$ ktpass -out c:\dir\krb5.keytab -princ HTTP/linux.mortbay.org@MORTBAY.ORG -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL</pre></div><p>This step will give you the keytab file which should then be copied to the machine running the http server and referenced from the configuration files.
 For our testing we put the keytab into the <code class="literal">/etc</code> directory of Jetty and referenced it from there.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_firefox"></a>Configuring Firefox</h3></div></div></div><p>The follows steps have been required to inform Firefox that it should use a negotiation dialog to authenticate.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Browse to about:config and agree to the warnings</li><li class="listitem">Search through to find the <span class="emphasis"><em>network</em></span> settings</li><li class="listitem">Set <code class="literal">network.negotiate-auth.delegation-uris</code> to <a class="link" href="http://,https://" target="_top">http://,https://</a></li><li class="listitem">Set <code class="literal">network.negotiate-auth.trusted-uris</code> to <a class="link" href="http://,https://" target="_top">http://,https://</a></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_internet_explorer"></a>Configuring Internet Explorer</h3></div></div></div><p>The follows steps have been required to inform Internet Explorer that it should use a negotiation dialog to authenticate.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Tools &#8594; Options &#8594; Security &#8594; Local Intranet &#8594; Sites (everything should be checked here)</li><li class="listitem">Tools &#8594; Options &#8594; Security &#8594; Local Intranet &#8594; Sites &#8594; Advanced (add url to server (http:// and/or https:// use the hostname!)</li><li class="listitem">Tools &#8594; Options &#8594; Security &#8594; Local Intranet &#8594; Sites &#8594; Advanced &#8594; Close</li><li class="listitem">Tools &#8594; Options &#8594; Security &#8594; Local Intranet &#8594; Sites &#8594; Ok</li><li class="listitem">Tools &#8594; Options &#8594; Advanced &#8594; Security (in the checkbox list)</li><li class="listitem">Locate and check <span class="emphasis"><em>Enable Integrated Windows Authentication</em></span></li><li class="listitem">Tools &#8594; Options &#8594; Advanced &#8594; Security &#8594; Ok</li><li class="listitem">Close IE then reopen and browse to your Spengo protected resource</li></ol></div><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>You must go to the hostname and not the IP.
 If you go to the IP it will default to NTLM authentication&#8230;&#8203;the following conditions must be true for Spnego authentication to work:
 * You must be within the Intranet Zone of the network
 * Accessing the server using a Hostname rather than IP
 * Integrated Windows Authentication in IE is enabled and the host is trusted in Firefox
 * The server is not local to the browser, it can&#8217;t be running on localhost
 * The client&#8217;s Kerberos system is authenticated to a domain controller</p></div></blockquote></div></div></div><script type="text/javascript">
       SyntaxHighlighter.all()
     </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="jaas-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">JAAS Support&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Chapter&nbsp;8.&nbsp;Configuring JSP Support</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
             See an error or something missing?
             <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
                 <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html>
	<html><head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>Spnego Support</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-security.html" title="Chapter 7. Configuring Security"><link rel="prev" href="jaas-support.html" title="JAAS Support"><link rel="next" href="configuring-jsp.html" title="Chapter 8. Configuring JSP Support"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
	hljs.initHighlightingOnLoad();
	</script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
	Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Spnego Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="jaas-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 7. Configuring Security<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
	<span class="website">www.webtide.com</span></a></h5><p>
	private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
	scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
	</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="spnego-support"></a>Spnego Support</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="spnego-support.html#_configuring_jetty_and_spnego">Configuring Jetty and Spnego</a></span></dt><dt><span class="section"><a href="spnego-support.html#_configuring_firefox">Configuring Firefox</a></span></dt><dt><span class="section"><a href="spnego-support.html#_configuring_internet_explorer">Configuring Internet Explorer</a></span></dt></dl></div><p>Simple and Protected GSSAPI Negotiation Mechanism (Spnego) is a way for users to be seamlessly authenticated when running on a Windows or Active Directory based network.
	Jetty supports this type of authentication and authorization through the JDK (which has been enabled since the later versions of Java 6 and 7).
	Also important to note is that this is an <span class="emphasis"><em>incredibly</em></span> fragile setup where everything needs to be configured just right for things to work, otherwise it can fail in fun and exciting, not to mention obscure, ways.</p><p>There is a substantial amount of configuration and testing required to enable this feature as well as knowledge and access to central systems on a Windows network such as the Active Domain Controller and the ability to create and maintain service users.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_jetty_and_spnego"></a>Configuring Jetty and Spnego</h3></div></div></div><p>To run with Spengo enabled the following command line options are required:</p><div class="screenexample"><pre class="screen">-Djava.security.krb5.conf=/path/to/jetty/etc/krb5.ini \
	-Djava.security.auth.login.config=/path/to/jetty/etc/spnego.conf \
	-Djavax.security.auth.useSubjectCredsOnly=false</pre></div><p>For debugging the Spengo authentication the following options are very helpful:</p><div class="screenexample"><pre class="screen">-Dorg.eclipse.jetty.LEVEL=debug \
	-Dsun.security.spnego.debug=all</pre></div><p>Spengo Authentication must be enabled in the webapp in the following way.
	The name of the role will be different for your network.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> <security-constraint>
	<web-resource-collection>
	<web-resource-name>Secure Area</web-resource-name>
	<url-pattern>/secure/me/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
	<!-- this is the domain that the user is a member of -->
	<role-name>MORTBAY.ORG</role-name>
	</auth-constraint>
	</security-constraint>
	<login-config>
	<auth-method>SPNEGO</auth-method>
	<realm-name>Test Realm</realm-name>
	<!-- optionally to add custom error page -->
	<spnego-login-config>
	<spengo-error-page>/loginError.html?param=foo</spnego-error-page>
	</spnego-login-config>
	</login-config></code></pre><p>A corresponding <code class="literal">UserRealm</code> needs to be created either programmatically if embedded, via the <code class="literal">jetty.xml</code> or in a context file for the webapp.</p><p>This is what the configuration within a Jetty xml file would look like.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> <Call name="addBean">
	<Arg>
	<New class="org.eclipse.jetty.security.SpnegoLoginService">
	<Set name="name">Test Realm</Set>
	<Set name="config"><Property name="jetty.home" default="."/>/etc/spnego.properties</Set>
	</New>
	</Arg>
	</Call></code></pre><p>This is what the configuration within a context xml file would look like.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> <Get name="securityHandler">
	<Set name="loginService">
	<New class="org.eclipse.jetty.security.SpnegoLoginService">
	<Set name="name">Test Realm</Set>
	<Set name="config">
	<SystemProperty name="jetty.home" default="."/>/etc/spnego.properties
	</Set>
	</New>
	</Set>
	<Set name="checkWelcomeFiles">true</Set>
	</Get></code></pre><p>There are a number of important configuration files with S3pnego that are required. The default values for these configuration files from this
	test example are found in the <code class="literal">/etc</code> folder of the Jetty distribution.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">spnego.properties</span></dt><dd>configures the user realm with runtime properties</dd><dt><span class="term">krb5.ini</span></dt><dd>configures the underlying kerberos setup</dd><dt><span class="term">spnego.conf</span></dt><dd>configures the glue between gssapi and kerberos</dd></dl></div><p>It is important to note that the keytab file referenced in the <code class="literal">krb5.ini</code> and the <code class="literal">spengo.conf</code> files needs to contain the keytab for the <code class="literal">targetName</code> for the http server.
	To do this use a process similar to this:</p><p>On the Windows Active Domain Controller run:</p><div class="screenexample"><pre class="screen">$ setspn -A HTTP/linux.mortbay.org ADUser</pre></div><p>To create the keytab file use the following process:</p><div class="screenexample"><pre class="screen">$ ktpass -out c:\dir\krb5.keytab -princ HTTP/linux.mortbay.org@MORTBAY.ORG -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL</pre></div><p>This step will give you the keytab file which should then be copied to the machine running the http server and referenced from the configuration files.
	For our testing we put the keytab into the <code class="literal">/etc</code> directory of Jetty and referenced it from there.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_firefox"></a>Configuring Firefox</h3></div></div></div><p>The follows steps have been required to inform Firefox that it should use a negotiation dialog to authenticate.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Browse to about:config and agree to the warnings</li><li class="listitem">Search through to find the <span class="emphasis"><em>network</em></span> settings</li><li class="listitem">Set <code class="literal">network.negotiate-auth.delegation-uris</code> to <a class="link" href="http://,https://" target="_top">http://,https://</a></li><li class="listitem">Set <code class="literal">network.negotiate-auth.trusted-uris</code> to <a class="link" href="http://,https://" target="_top">http://,https://</a></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_internet_explorer"></a>Configuring Internet Explorer</h3></div></div></div><p>The follows steps have been required to inform Internet Explorer that it should use a negotiation dialog to authenticate.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Tools → Options → Security → Local Intranet → Sites (everything should be checked here)</li><li class="listitem">Tools → Options → Security → Local Intranet → Sites → Advanced (add url to server (http:// and/or https:// use the hostname!)</li><li class="listitem">Tools → Options → Security → Local Intranet → Sites → Advanced → Close</li><li class="listitem">Tools → Options → Security → Local Intranet → Sites → Ok</li><li class="listitem">Tools → Options → Advanced → Security (in the checkbox list)</li><li class="listitem">Locate and check <span class="emphasis"><em>Enable Integrated Windows Authentication</em></span></li><li class="listitem">Tools → Options → Advanced → Security → Ok</li><li class="listitem">Close IE then reopen and browse to your Spengo protected resource</li></ol></div><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>You must go to the hostname and not the IP.
	If you go to the IP it will default to NTLM authentication…the following conditions must be true for Spnego authentication to work:
	* You must be within the Intranet Zone of the network
	* Accessing the server using a Hostname rather than IP
	* Integrated Windows Authentication in IE is enabled and the host is trusted in Firefox
	* The server is not local to the browser, it can’t be running on localhost
	* The client’s Kerberos system is authenticated to a domain controller</p></div></blockquote></div></div></div><script type="text/javascript">
	SyntaxHighlighter.all()
	</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="jaas-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">JAAS Support </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Configuring JSP Support</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
	See an error or something missing?
	<span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
	<span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html>