This topic is about the use of Kerberos strictly on the IdP server. If you're looking for the end-to-end use of Kerberos with a web browser using the SPNEGO GSS-API mechanism (often referred to as desktop authentication), see the SPNEGOAuthnConfiguration topic.
Current File(s): conf/authn/krb5-authn-config.xml
Format: Native Spring
V2 Legacy File(s): conf/handler.xml, conf/login.config
Overview
This back-end for the password authentication login flow uses the Oracle Java implementation's Kerberos library for password-based authentication instead of using a JAAS module.
The primary advantage of this approach is the capability to prevent a rogue KDC from spoofing responses by validating its knowledge of a service principal key configured locally in a keytab file, which is a standard practice for safe use of Kerberos. It is STRONGLY urged that this feature be used.
General Configuration
Configuring Kerberos as a back-end requires that the right import is active in authn/password-authn-config.xml:
<import resource="krb5-authn-config.xml" />
The other imports must be commented or removed.
A few beans are defined in authn/krb5-authn-config.xml to configure this back-end by setting some Kerberos-related options.
A bean alias is also defined that instantiates the Kerberos back-end action as the "ValidateUsernamePassword" step of the web flow. This must not be changed.
Kerberos Configuration
The actual Kerberos configuration is managed in a conf or ini file that can be placed in a number of different locations. On non-Windows servers, using a system-wide configuration in /etc/krb5.conf is generally advised. It's possible to have Java-specific configurations and/or provide the path to a configuration using a system property, as discussed here.
Reference
Beans
The beans defined in authn/krb5-authn-config.xml follow:
Bean ID | Type | Default | Function |
---|---|---|---|
shibboleth.authn.Krb5.RefreshConfig | Boolean | False | Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt |
shibboleth.authn.Krb5.PreserveTicket | Boolean | False | Whether to preserve the resulting Kerberos TGT in the Java Subject's private credential set |
shibboleth.authn.Krb5.ServicePrincipal3.2 | String | Name of a service principal to use to verify the KDC supplying the TGT, by requesting and verifying a service ticket issued for it | |
shibboleth.authn.Krb5.Keytab3.2 | Path | Path to a keytab file containing keys belonging to the service principal defined above |
Notes
TBD