Red Hat
Aug 15, 2017
by Jan Kalina

Testing environment

For needs of this tutorial will be used simple Kerberos server and keytab generator by Josef Cacek:

git clone
cd kerberos-using-apacheds
mvn install

Generate keytab file - file with username HTTP/localhost@JBOSS.ORG and password httppwd for WildFly server to connect to Kerberos:

java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab HTTP/localhost@JBOSS.ORG httppwd http.keytab

Just note you need to replace HTTP by remote to use with remoting protocol. In such case there is also necessary to add such user into LDIF:

dn: uid=remote,ou=Users,dc=jboss,dc=org
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: remote
sn: Service
uid: remote
userPassword: remotepwd
krb5PrincipalName: remote/localhost@JBOSS.ORG
krb5KeyVersionNumber: 0
java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab remote/localhost@JBOSS.ORG remotepwd remote.keytab

Now you can start testing Kerberos server with database from example test.ldif file:

java -jar target/kerberos-using-apacheds.jar test.ldif

Now you can log-in as user using kinit:

export KRB5_CONFIG=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/krb5.conf
kinit hnelson@JBOSS.ORG
Password for hnelson@JBOSS.ORG: secret

Now we can start to configure the WildFly server.

Configuring WildFly to use Kerberos

At first we need to specify property - path to the krb5.conf file generated by testing server above:


Lets specify credentials to connect to the Kerberos server - principal and path to corresponding keytab file:

/subsystem=elytron/kerberos-security-factory=krbSFhttp:add(principal=HTTP/localhost@JBOSS.ORG, path=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/http.keytab, mechanism-names=[KRB5, SPNEGO])
/subsystem=elytron/kerberos-security-factory=krbSFremote:add(principal=remote/localhost@JBOSS.ORG, path=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/remote.keytab, mechanism-names=[KRB5])

Now we can add required mechanism into authentication factory:

/subsystem=elytron/http-authentication-factory=management-http-authentication:list-add(name=mechanism-configurations, \
    value={mechanism-name=SPNEGO, mechanism-realm-configurations=[{realm-name=exampleFsSD}], credential-security-factory=krbSFhttp})
/subsystem=elytron/sasl-authentication-factory=management-sasl-authentication:list-add(name=mechanism-configurations, \
    value={mechanism-name=GS2-KRB5-PLUS, credential-security-factory=krbSFremote})

Just note that Kerberos is used only for authentication but not for authorization - users still need to exists in appropriate security realms - you need to add user into


Enabling Elytron for authentication

To use authentication factories above we need to switch to them from legacy security realms:



Using CURL:

curl  --negotiate -u hnelson@JBOSS.ORG --trace-ascii - http://localhost:9990/management

Getting debug output

We can specify property to enable Kerberos debug in Oracle JDK:


Trace messages from Elytron and from remoting will be also useful:


Often error messages

No server entry found for kerberos principal name HTTP/

You are accessing the WildFly server from browser by different hostname ( then for which kerberos account exists (localhost).

Original Post