Spring Security Kerberos SSO for a REST API (Tomcat)

Here is my problem:

Context :
-Windows Server 2012 with ActiveDirectory
-Rest API (Spring)

I’m currently trying to restrict REST request. I want that only specific groups of the AD could access to specific resources. I’m restricted to Kerberos authentication.

System configuration

  1. Create a user in domain “Tomcat”
  2. setspn -a HTTP/apirest.domain@DOMAIN
  3. Generate a tomcat.keytab using ktpass

API rest configuration

I’m using the spring security sample on github that you can find here :


I know that there is an EntryPoint and this is not needed in my context (API Rest). I’ve chosen this sample because it seems to use the windows authentication context and use it to automatically authenticate me in the spring security context. Right after, an ldap request is send to extract all information about the user logged. In my case, I need to extract the group.

I’m also using :


To extract the role of the user with the class “RoleStrippingLdapUserDetailsMapper.java” instead of the “ActiveDirectoryLdapAuthoritiesPopulator”. This implementation also offers localhost authentication but the issue with the NTLM token seems to be fixed in last commit of spring security.

I’m not really sure if this is the right way to do what I want.

My authentication seems to fail and I only have one things going wrong in my logs..

“Property ‘userDn’ not set – anonymous context will be used for read-write operations”


  1. Do I have to run my tomcat service using the tomcat account ? (Seems to be, yes)
  2. Am I doing the right things with Kerberos security ?
  3. How can I get rid of the anonymous context?
  4. The anonymous context seems to be set just right after Tomcat start. I want to get a context just after that my user (For instance, user1) requests the rest API (EntryPoint or whatever)

If there is something unclear let me know, I will try to reformulate!


Spring Security Kerberos SSO for a REST API (Tomcat)