Creating a keytab file for your custom Kerberos SPNEGO java client

Creating a keytab for java clients

This guide will show you how to create and use a keytab file in your client applications.

Summary

Keytab files are not required. There are alternatives to using keytab files. One alternative is to simply provide a username and password instead of the path to a keytab file.

If your java client needs to communicate with an HTTP server that requires Kerberos/SPNEGO authentication and you prefer that your java client use a keytab file instead of a username/password, this guide will illustrate how this is possible by showing you how to create the HelloKeytab.java program as well as the keytab file that the program will use.

This guide does NOT show you how to create a keytab file for use by your app server (i.e. Tomcat, JBoss). The SPNEGO Http Servlet Filter does NOT require your app server to use a keytab file.

However, if you prefer to use a keytab file over providing a username/password in the web.xml, take a look at the Creating a Keytab for Application Servers example.

Before Getting Started

Be sure that you have read and successfully performed ALL of the steps in the pre-flight documentation before proceeding any further. It is imperative that you perform all steps in the pre-flight since we will be using files that we created from that guide.

If you don't already have a working app server that authenticates requests via Kerberos/SPNEGO, take a look at the installing Tomcat or installing JBoss example.

Compiling HelloKeytab.java

Download the HelloKeytab.java code and place it under the C:\spnego-examples directory.

Download the latest spnego.jar and place it under the C:\spnego-examples directory named as spnego.jar.

Before compiling HelloKeytab.java, be sure to change the hard-coded URL address of the app server.

Also, notice that the constructor for the SpnegoHttpURLConnection class (as defined in HelloKeytab.java) takes the String literal custom-client. This module name is purely arbitrary but this name must match/exist in your login.conf file.

Compiling HelloKeytab.java requires that you use JDK 1.6 or higher and that the spnego.jar file is on your classpath.

Open a command prompt and cd into the C:\spnego-examples directory.
Compile the class by typing javac -cp .;spnego.jar HelloKeytab.java at the prompt.

Creating the login.conf file

Create a login.conf file with the following contents and place it under the C:\spnego-examples directory:

custom-client {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="file:///C:/spnego-examples/hellokeytab.keytab"
    principal=metis;
};

Note that you must change principal=metis to one that is appropriate for you environment.

For example, if you want to use a Windows NT (Domain) Account named dfelix, then your login file will have principal=dfelix instead. There is nothing special about this account; you create it in Active Directory the way you would create any other account for any new employee, etc.

Also, the LoginModule name custom-client must match with what you have in your HelloKeytab.java file.

Finally, place the krb5.conf file you created during pre-flight under the C:\spnego-examples directory.

Creating the keytab file

Before creating the keytab file, we'll want to be sure we have the right username and password for the account. We can do this by attempting to login into a workstation with that account or use FireFox instead of IE to visit a protected page on our app server.

By default, FireFox will prompt for a username and password. Type-in the username and password of the account you want to use to confirm that all is working as expected.

Open a command prompt and cd into the C:\spnego-examples directory. Next, create the keytab file by typing the command ktab.exe -a metis M3tisP@55 -k hellokeytab.keytab at the prompt.

Be sure to replace the username and password provided above with the username and password that you want to use. Also, the location and path to the hellokeytab.keytab file must match what you have specified in your login.conf file.

Finally, list the contents of the keytab file by typing ktab.exe -l -k hellokeytab.keytab at the prompt.

Seeing multiple entries is ok since each entry represents an encryption algorithm that you defined in your krb5.conf file.

Testing the keytab file

We can now test our keytab file by running the HelloKeytab.java program we modified earlier by typing the command java -cp .;spnego.jar HelloKeytab at the command prompt.

If all is well, you should get an output similar to the following:

Troubleshooting HelloKeytab.java

If the test was not successful, take a look at the Troubleshooting HelloKeytab.java page.

Links:
pre-flight checklist
install guide - tomcat
install guide - jboss
install guide - glassfish
install guide - spring boot 2.x
install guide - spring boot 3.x
enable authZ with LDAP
get user group info from LDAP
reference docs
api docs
download

Troubleshooting:
HelloKDC.java
hello_spnego.jsp
HelloKeytab.java
hello_delegate.jsp
SpnegoHelloClient.java
ExampleSpnegoAuthenticatorValve.java

Examples:
create keytab for client
create keytab for app server
credential delegation
protected SOAP Web Service
tomcat authenticator valve
jboss authenticator valve
authZ for standalone apps
protecting edit button on page

Licensing:
GNU LGPL