Creating a Service Principle for springsecurity backend servers on 2k8 server

For Kerberos to work, you must configure DNS and an AD server on your network. The application server and client computer must use DNS, and the client computers must use AD authentication. The name "localhost" is NOT allowed. The application server cannot be in the domain.

Let's assume you need all the machines in the domain:

• Assign the DNS server name of the application, for example appserver ( appserver .yourdomain.local)
• Add the DNS name of your server applications to the forward and reverse DNS server realm. ( link )
• Create a simple user in the domain and set the option "do not change password" and "Password never expires" (for example, the username is myUser )

• On the server, domain controller, open a command prompt and run the following commands:

  C:> setspn -A HTTP / appserver myUser

  C:> setspn -A HTTP / appserver.yourdomain.local myUser

• Check if it is correct:

  C:> setspn -l myUser (if it displays what you entered earlier, then everything is fine)

• Then create a key file:

  C:> ktpass / out C: /myUser.keytab/mapuser myUser@YOURDOMAIN.LOCAL / princ HTTP / appserver.yourdomain.local@YOURDOMAIN.LOCAL / pass + rndPass / crypto RC4-HMAC-NT / ptype KRB5_NT / kPRINCIP

To do this, you can now use the myUser.keytab file and the HTTP principal name / appserver.yourdomain.local in your web application

may be useful in the future:

• Blank page after user cancels basic authentication
• Combine custom authentication filter with spring-security-kerberos