Using Kerberos 5 keytab to authenticate LDAP resolver with 3.2.1

[Simon Lundström]

On Thu, 2016-02-04 at 14:39:01 +0000, Robert Bradley wrote:
> On 03/02/16 12:49, King, David wrote:
> > 
> > Has anyone used GSSAPI with a Kerberos keytab to authenticate the
> > LDAP resolver with 3.x?  If so, how did you configure it?  Is there
> > any resource that I missed on how to configure/debug this?
> > 
> > Thanks in advance for the help, David
> > 
> 
> We (Oxford) are doing this in a similar way to Simon Lundström's post.
>  One major difference though is that our setup uses the
> sun.security.jgss.native property to force the use of native Kerberos
> libraries.  I have found in the past that this makes life a lot
> simpler!  This also simplifies the configuration in jaas.conf
> considerably, at the expense of having to set up the KRB5CCNAME
> environment variable in the scripts that start Tomcat.
> 
> Our Java parameters for this look like:
> 
> -Djavax.security.auth.useSubjectCredsOnly=false
> -Dsun.security.jgss.native=true
> -Djava.security.auth.login.config=${CONF_PATH}/jaas.conf

Thanks again for this Robert! So much nicer to use native Kerberos
support, e.g the JVM doesn't do an AS-REQ for the service user everytime
it needs to verify a users password.

Sadly, it seems like using JGSS native breaks SPNEGO:
2016-02-09 14:23:42,575 - WARN [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:94] - Profile Action ValidateExternalAuthentication: External authentication produced exception
net.shibboleth.idp.authn.ExternalAuthenticationException: SPNEGONotAvailable
        at net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController.continueSPNEGO(SPNEGOAuthnController.java:167)
Caused by: sun.security.jgss.GSSExceptionImpl: Provider SunNativeGSS does not support mechanism 1.3.6.1.5.5.2
        at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:253)

Are you using GSSAPI with JGSS native Robert? Is that working?

BR,
- Simon