geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache Geronimo v2.1 > Using Spengo in geronimo
Date Fri, 05 Feb 2010 11:53:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=GMOxDOC21&amp;forWysiwyg=true"
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="">Using
Spengo in geronimo</a></h2>
     <h4>Page <b>edited</b> by             <a href="">Ashish
     <div class="notificationGreySide">
         <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC21/LDAP+Realm"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC21/LDAP+Realm">LDAP
Realm</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC21/Configuring+security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC21/Configuring+security">Configuring security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;</td></tr></table></div>

<p>Spnego with geronimo requires 3 machines namely a Client machine, a server machine
and a  Microsoft active directory domain controller. Client and server machine should be part
of the active directory domain.</p>

    <li><a href='#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController'>Setting
up the Active Directory Domain Controller</a></li>
    <li><a href='#UsingSpengoingeronimo-Settinguptheclientmachine'>Setting up
the client machine</a></li>
<h1><a name="UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController"></a>Setting
up the Active Directory Domain Controller</h1>
	<li>Create a user in the active directory. Make sure that user you create is unique
and not listed in Computers or domain controllers. In our case we have created a user called
testuser with the password testuser123.</li>
	<li>Map the service principal name to the user account you created in the previous
step. A service principal name(SPN) is HTTP/&lt;Fully_Qualified_Host_Name&gt;.  In
our case SPN is HTTP/ You can run the following command to map the SPN to user
C:\Program Files\Support Tools&gt;setspn -A HTTP/ testuser.</li>
	<li>Next step is to create a keytab file. Run the following command<br/>
C:\Program Files\Support Tools&gt;ktpass -out c:\winnt\krb5.keytab -princ HTTP/
-mapUser testuser-mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL</li>

<p>With this step we are done with setting up the Active Directory domain controller

<h1><a name="UsingSpengoingeronimo-Settinguptheclientmachine"></a>Setting
up the client machine</h1>

<p>On the client machine we need to configure the browser for spnego. Internet Explorer
can be configured as follows:</p>

	<li>Go to Tools-&gt;Internet Options-&gt; Security-&gt; Local Intranet-&gt;Sites.
Check all the 3 boxes.</li>
	<li>Go to Tools-&gt;Internet Options-&gt; Security-&gt; Local Intranet-&gt;Sites-&gt;
Advanced. Add the name of the server host machine. In our case we have added it as follows
<a href="" rel="nofollow"></a>. Select Ok.</li>
	<li>Go to Tools-&gt;Internet Options-&gt; Security-&gt; Local Intranet.
Select Custom Level. Browse down to the bottom to see if Logon is set as "Automatic Logon
in Intranet zone".</li>
	<li>Tools-&gt;Internet Options-&gt;Advanced. Check that "Enable Integrated
Windows Authentication(requires restart) is selected.</li>

<p>Mozilla Firefox can be configured as follows:</p>

	<li>In the url address bar type about:config and press enter.</li>
	<li>In the filter enter network.nego. This lists 5 properties. Modify<br/>
network.negotiate-auth.delegation-uris and add <a href="http://,https://" rel="nofollow">http://,https://</a><br/>
network.negotiate-auth.trusted-uris and add <a href="http://,https://" rel="nofollow">http://,https://</a></li>
	<li>Once done restart the browser.</li>

<p>This sets up your client machine make sure you login to the client machine within
the active directory domain.</p>

     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>

       <a href="">View
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message