Configuring JBoss Negotiation in an all Windows Domain

The purpose of this article is to describe how to configure the accounts required for JBoss Negotiation to be used when JBoss is running on a Windows server which is a part of the Active Directory domain.

 

The first point to confirm is the host name that will be used to access the server as an example you may want to access the server as http://appserver.jboss.com this would mean the host name is 'appserver.jboss.com' - for the rest of this article this will be reffered to as {hostname}.

 

In this example my realm is 'jboss.com' which will be referred to as {realm} and the domain is 'jboss' which will be referred to as {domain}.

 

The server that will also be hosting JBoss will already be registered to the name using a short name, in this case it would be 'appserver' which for the rest of this article will be referred to as {machine_name}.

 

Clearing Existing Service Principal Mappings

 

For the negotiation to take place correctly the identity of the machine needs to be mapped to a service principal, it is the presence of this mapping that essentially allows the web broswer on a client to trust the server and attempt SPNEGO.

 

The client machine will check with the domain controller for a mapping in the form 'HTTP/{hostname}' to check for the service principal, as this is a complete Windows network some mappings will have been created automatically so these will need to be first removed.

Using the setspn.exe utility the first step is to check for the mapping against the machine already registered with the domain, this can be achieved with the following command: -

 

  setspn -L {machine_name}

 

This command will list all service principal mappings for the specified {machine_name}, if either of the following are present they need to be deleted: -

 

  HTTP/{hostname}

  host/{hostname}

 

These can be deleted with the following command: -

 

  setspn -D HTTP/{hostname} {machine_name}

  setspn -D host/{hostname} {machine_name}

 

All further operations using setspn in the JBoss Negotiation user guide should be ignored.

 

Host User Account Creation

 

As in the JBoss Negotiation user guide a new user needs to be created for JBoss, follow the steps through in the user guide to create the new user, the important point to consider is that the username for the user MUST be different to the {machine_name}.

 

Apart from the restriction regarding the name the other settings for the user should be as described in the user guide, for the remainder of this article the new user account will be referenced as {user_name}.

 

Service Principal Mapping

 

The next step is to define the mapping between the {user_name} and {hostname} so that the client machines will trust the JBoss server, this can be achieved by running the following command: -

 

  ktpass -princ HTTP/{hostname}@{realm} -pass * -mapuser {domain}\{user_name}

 

When prompted for the password enter the password for {user_name}.  At this step I have found it nescesary to reset the password for {user_name} ready for the ktab step later.

 

After running ktpass you should run the following command: -

 

  setspn -L {user_name}

 

This should now show an entry mapping HTTP/{hostname} to this user.

 

Export the Keytab

 

The final step is to export the keytab for this user on the machine running JBoss, this can be achieved with the following command: -

 

  ktab -k service.keytab -a HTTP/{hostname}@{realm}

 

This will export the ticket for the HTTP/{hostname} principal to the keytab service.keytab which can now be used to configure the 'host' security domain on JBoss according to the instructions within the JBoss Negotiation user guide.

 

The principal will then be defined within the security domain as: -

 

  <module-option name="principal">HTTP/{hostname}@{realm}</module-option>