This tutorial describes how to configure Kerberos authentication in WildFly using Elytron.
Kerberos server
For needs of this tutorial we will suppose you have Kerberos server already running and generated keytab files for services:
HTTP/localhost@JBOSS.ORG in http.keytab
remote/localhost@JBOSS.ORG in remote.keytab
where localhost is hostname under which will be your WildFly server accesible and JBOSS.ORG your Kerberos realm.
Testing server
If you don’t have your Kerberos server or you need testing server for your testing, you can use simple Kerberos server and keytab generator by Josef Cacek:
Generate keytab files for WildFly server:
Now you are prepared to start to configure the WildFly server.
Configuring Kerberos authentication
At first you need to specify path to the krb5.conf in java.security.krb5.conf property:
As following you need to create kerberos-security-factory referencing appropriate keytab files for both protocols - HTTP (using web browser) and remote (remote EJB, server CLI):
Now you can add authentication mechanisms using Kerberos into appropriate authentication factories:
Security realm
As Kerberos provides authentication only, you need to provide some source of users for user lookup too.
For needs of testing, default properties-realm can be used. Put following to the end of mgmt-users.properties file:
Blank password is sufficient to be able to authenticate using Kerberos.
LDAP realm
For production should be ldap-realm used instead:
And replace properties realms:
But you can skip this for testing and use approach above instead.
Enabling Elytron for management authentication
To use authentication factories above we need to switch to them from legacy security realms:
(http-upgrade defines parameters for using SASL in HTTP connections)
Testing
At first you need to log-in using kinit:
Afterwords you should be able to authenticate to JBoss CLI using Kerberos:
You can test authentication using CURL alternatively:
Or using custom client using Elytron client library:
Configuring Firefox
In about:config set network.negotiate-auth.trusted-uris to contain localhost - individual hostnames needs to be delimited by comma AND space:
Run Firefox with KRB5_CONFIG property set - you should be logged automatically:
Getting debug output
We can specify property to enable Kerberos debug in Oracle JDK:
Trace messages from Elytron and from remoting will be also useful:
Often error messages
No server entry found for kerberos principal name HTTP/127.0.0.1@JBOSS.ORG
You are accessing the WildFly server from browser by different hostname (127.0.0.1) then for which kerberos account exists (localhost).
KrbException: Fail to create credential. (63) - No service creds
Probably wrong mapping of hostname to realm in [domain_realm] section of krb5.conf - or wrong path to krb5.conf on client.
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
Probably property javax.security.auth.useSubjectCredsOnly not set to false while trying to use local-kerberos credential.