I'm running two sample web apps that are secured by Spring Security Kerberos. After logging into one, I expected the other app to not require login. Here are the details of my setup:
On Ubuntu Linux, I have installed Kerberos and configured per this documentation. I replaced EXAMPLE.ORG with my domain, MYDOMAIN.LOCAL. Here's my krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
kdc_tcp_port = 12345
kdc_udp_port = 12345
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.LOCAL = {
kdc = localhost
admin_server = localhost
}
I also added two service principals: HTTP/[email protected] and HTTP/[email protected].
Then I built this Spring Security Kerberos sample code following this documentation.
I ran two instances of this sample app with different config parameters:
App 1
server:
port: 9122
app:
service-principal: HTTP/[email protected]
keytab-location: /tmp/tomcat.keytab
App 2
server:
port: 9123
app:
service-principal: HTTP/[email protected]
keytab-location: /tmp/tomcat2.keytab
Both app instances are running on the same Linux machine hosting my Kerberos (KDC) instance.
On my local Windows machine, I configured Firefox per this. I set network.negotiate-auth.trusted-uris=http://subdomain1.mydomain.local,http://subdomain2.mydomain.local.
I pointed my host file (Windows machine) to such that subdomain2.mydomain.local points to the same IP address as subdomain1.mydomain.local (since my DNS doesn't know about subdomain2).
Using Firefox, I navigated to http://subdomain1.mydomain.local/hello which is secured. As expected I got the login page. I logged in as user1 and got the hello page (which displays `Hello [email protected]).
On another Firefox tab, I navigated to http://subdomain2.mydomain.local/hello. I was prompted to login again. Why?
Please consider the following two options
trust&configurationissue.