5.8.3. Configure JBoss Negotiation for Microsoft Windows Domain

This section describes how to configure the accounts required for JBoss Negotiation to be used when JBoss EAP is running on a Microsoft Windows server, which is a part of the Active Directory domain.
In this section, the hostname that is used to access the server as is referred to as {hostname}, realm is referred to as {realm}, domain is referred to as {domain}, and the server hosting the JBoss EAP instance is referred to as {machine_name}.

Procedure 5.6. Configure JBoss Negotiation for Microsoft Windows Domain

  1. Clear Existing Service Principal Mappings

    On a Microsoft Windows network some mappings are created automatically. Delete the automatically created mappings to map the identity of the server to the service principal for negotiation to take place correctly. The mapping enables the web browser on the client computer to trust the server and attempt SPNEGO. The client computer verifies with the domain controller for a mapping in the form of HTTP{hostname}.
    The following are the steps to delete the existing mappings:
    • List the mapping registered with the domain for the computer using the command, setspn -L {machine_name}.
    • Delete the existing mappings using the commands, setspn -D HTTP/{hostname} {machine_name} and setspn -D host/{hostname} {machine_name}.
  2. Create a host user account.


    Ensure the host user name is different from the {machine_name}.
    In the rest of the section the host user name is referred to as {user_name}.
  3. Define the mapping between the {user_name} and {hostname}.

    • Run the following command to configure the Service Principal Mapping, ktpass -princ HTTP/{hostname}@{realm} -pass * -mapuser {domain}\{user_name}.
    • Enter the password for the user name when prompted.


      Reset the password for the user name as it is a prerequisite for exporting the keytab.
    • Verify the mapping by running the following command, setspn -L {user_name}
  4. Export the keytab of the user to the server on which EAP JBoss is installed.

    Run the following command to export the keytab, ktab -k service.keytab -a HTTP/{hostname}@{realm}.


    This command exports the ticket for the HTTP/{hostname} principal to the keytab service.keytab, which is used to configure the host security domain on JBoss.
  5. Define the principal within the security domain as follows:
    <module-option name="principal">HTTP/{hostname}@{realm}</module-option>