Why no keytab file?

Jul 14, 2011 at 6:28 PM

I'm currently using Waffle to replace a more cumbersome and less polished IWA implementation that was written in-house.  The old implementation relied on some additional configuration files and a ktpass generated keytab file.  Both implementations seem to require the proper SPN be set.  Why does Waffle not require a keytab file?  This is even mentioned on the home page.  Is it providing the same "full" kerberos authentication as implementations requiring a keytab file?

Many thanks!

James Courtney

Jul 14, 2011 at 6:50 PM

Waffle works only on Windows and uses SSPI for authentication. So it's not a kerberos implementation and doesn't know anything about Kerberos. SSPI packages authentication mechanisms such as Kerberos or NTLM or whatever else you want under a common interface. Incidentally that interface has basically two functions: one that takes a blog and another that returns a blob. Kerberos is configured in the depths of Windows.

Jul 14, 2011 at 6:53 PM

Got it.  So the underlying Windows APIs and OS are taking care of any Kerberos machenery required vs. the implementation I've been working with which is using some Sun GSS APIs and are doing everything in Java and require the keytab file to work.  So as long as I'm comfortable with our application only running on Windows (which I believe we are) then we're giving up nothing in using Waffle except some harder to maintain and configure code.

Many thanks!

James Courtney

Jul 14, 2011 at 7:07 PM

You're also gaining the integration with Active Directory that Windows has (eg. complex Active Directory forests, cross-domain auth, etc.) and support for NTLM.

Jul 15, 2011 at 1:25 AM

Great, thank you!


Jul 17, 2011 at 6:33 AM

Okay, follow-on question.  Apparently having a keytab file might allow us to have our server authenticate users connected from computers NOT in the same domain as our server.  I know this is also possible with Waffle from reading the docs and from your comments.  How would I configure Waffle to support a case like this where all users belong to some corporate domain but the server(s) are in a different domain?  Do I need/can I use a keytab file with Waffle to this end?  Do I need to do anything special in setting SPNs?

Thanks again!

James Courtney

Jul 17, 2011 at 1:07 PM

Authenticating against another domain on Windows requires you to configure an Active Directory trust. This is a domain administrator task. There's no equivalent of keytab that you can configure to work with Waffle.

If you come from *nix world, you might want to read about Active Directory.

Jul 19, 2011 at 7:26 AM

Thanks again.