Kerberos or NTLM with SPNEGO?

Coordinator
Aug 10, 2009 at 9:03 AM

To understand Kerberos, it is better to read Keith Brown The .Net Developer's Guide on Windows Security, items 59, 60, 61.

If Alice wants to communicate with Bob, she asks a KDC for a random session's key that will be used between Alice and Bob. But Alice must know the Bob's name. With the server Web, she knows only the protocol used and the name of the server.

So there is a mapping from the couple (service/server) into an account in AD. By default, all the windows computers declared in Active Directory have an attribute "ServicePrincipalName".

 

Suppose you have an AD forest test.net with two others domains domaina.test.net and domainb.test.net.

Suppose tomcat run on a server webserver.domaina.test.net.

By default, the computer's account webserver  (webserver$) has an attribute ServicePrincipalName with the values HOST/WEBSERVER and HOST/webserver.domaina.test.net If you use HTTP, DCOM, Named Pipes this service principal name can be used.

 

To use SSO with SPNEGO, you have to add *.test.net in the list of your intranet's servers defined on IE and test.net to this list on Firefox. If Alice calls http://webserver.domaina.test.net:8080/authbysspi/index.jsp, IE and Firefox will use Kerberos.

If you use XP and IE (not on Windows 2003 server), or http://webserver:8080/authbysspi/index.jsp, Kerberos will also be used.

But the account used by Tomcat must be the account of the server. The local accounts SYSTEM or better, Network Service are mapped, on the network, into the server's account. If IE or Firefox try Kerberos, after a failure, it does not try NTLM.

 

But Alice can use the address of the server 10.11.12.13, so you have to add 10.*.*.* in the server's list of your intranet on IE. On Firefox, you must add the addresses. If you use 10, Firefox will use Spnego with the addresses ending with 10, which is not very interesting. If someone knows a solution, a comment will be welcome. IE or Firefox CANNOT use Kerberos with an address, so they use NTLM. In this case, you can use another account.

But when you install Tomcat, you do not know if Alice will use 10.11.12.13 or the name of the server.

 

So, in reality, you always use tomcat with a service running with SYSTEM or Network Service.

If you want to use authbysspi.domaina.test.net, you can also define an alias (CNAME) in the DNS with webserver.domaina.test.net. IE and Firefox will use Kerberos.

 

You can find the IE and Firefox configuration in the file test.txt.tset.txt is in the file example.zip.

Otherwise, you have the configuration of IE and Firefox in the file configure.txt in the other zip.

 

So, to resume, it is better that tomcat run as a service with the account SYSTEM or Network Service  (NT AUTHORITY\Network Service).