Home > Software engineering >  Kerberos authentication via curl is working but not with browser
Kerberos authentication via curl is working but not with browser

Time:03-23

Can someone help to explain what I am missing? I have an issue where curl

curl -i --negotiate -u : "backendService.net/kerberos:"

Is working fine in CMD and I am able to verify which user called this one in my backend service. However, if I try this one in postman/EDGE or Chrome. I even asked frontend to try to call this one from react with headers :

WWW-Authentication:negotiate

I get that Kerberos validation failed.

I am using spring boot application and this backendService.net/kerberos mentioned above is endpoint to the RestController where I have:

@GetMapping(value = "/kerberos")
public ResponseEntity<String> getKerberosUser(HttpServletRequest req) {
    logger.info("Kerberos remote user: "   req.getRemoteUser());
    return new ResponseEntity<>(req.getRemoteUser(), HttpStatus.OK);
}

I have keytab and SPN setup correclty, because if I try to call like this in cmd:

knit -k -t my-file.keytab HTTP/backendService.net

It generates kerberos ticket with my username.

The most curious part for me why CURL is working but not BROWSER or other stuff? Any feedback is welcome. Thank you!!! :)

Update 1.0

I found that enabling DisableAuthNegotiateCnameLookup cname lookup in chrome will solve this issue. Is it possible to disable it via spring-boot application or I need to add this url to trusted uri?

CodePudding user response:

If anyone is facing this issue. I solved it by adding DNS name to keytab file and creating SPN for that same DNS. The problem was with DNS lookup as it gave wrong domain url all the time. So that's why kerberos authentication failed.

  • Related