Friday, December 3, 2010

Kerberos authentication with WCF Service and Java Client

1. Go through this previous post and get the WCF Service running properly with the Kerberos authentication.

2. Download the Kerberos java client Eclipse project from here - import it in to an Eclipse workspace and fix the missing references - all the jars available inside [WSO2_ESB_HOME]\repository\components\plugin. You can download WSO2 ESB 3.0.1 from here.

3. rampart-core, rampart-policy and wss4j should be picked from patch0003 and patch0023. These patches are not publicly available - but will be added in to the future releases. If you interested, please contact us on bizdev@wso2.com.

4.Make sure the Eclipse project compiles.

5. Configuration files

5.1. krb.conf
[libdefaults] 
        default_realm = WSO2.COM 
        default_tkt_enctypes = rc4-hmac 
        default_tgs_enctypes = rc4-hmac 
        dns_lookup_kdc = true 
        dns_lookup_realm = false 

[realms] 
        WSO2.COM = { 
            kdc = 192.168.2.10
   } 
Here, WSO2.COM is my root domain name of my Active Directory, which is acting as the KDC and 192.168.2.1 is it's IP address - so you need to change them as per your setup. Make sure that you have default_realm all caps.

5.2 jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false;
};
You must have this Client section. Here we set useTicketCache=false; so our java client need not to be running from the same Windows domain as the KDC. If you set to true, you need to be in the same Windows domain as the KDC and also edit the Windows registry at the client end - my previous blog post explains how to do that - see #6.

5.3 policy-1.xml
<rampart:kerberosConfig>
     <rampart:property name="client.principal.name">client</rampart:property>
     <rampart:property name="client.principal.password">1qaz2wsx$
     </rampart:property>
     <rampart:property name="service.principal.name">service/myserver@WSO2.COM
     </rampart:property>
     <rampart:property name="java.security.auth.login.config">jaas.conf
     </rampart:property>
     <rampart:property name="javax.security.auth.useSubjectCredsOnly">true</rampart:property>
     <rampart:property name="kdc.des.aes.factor">4</rampart:property>
     <rampart:property name="java.security.krb5.conf">/Users/prabath/clients/org.wso2.identity.esb.kerberos/krb.conf
     </rampart:property>
    </rampart:kerberosConfig>
This is the security policy of the client and we have to set the path to jaas.conf and the absolute path to the krb.conf - at the same time we need to set the username and password of the client who invokes this - and this account should be in the Active Directory.

Also make a note of, service.principal.name - this is the SPN of the account where the Kerberos service is running under - we set this up in my previous blog post

6. In the KerberosCLient code set the RELYING_PARTY_SERVICE_EPR to you WCF Service EPR http://192.168.2.10/EchoServices/EchoService.svc

7. That's it :)

6 comments:

fire_storm said...

Does this request the kerberos ticket from the KDC via SOAP?

fire_storm said...
This comment has been removed by the author.
Prabath said...

No.. It's not SOAP. Communication with KDC is through Java GSS-API.

Thanks & regards,
-Prabath

fire_storm said...

Thanks for the reply.
I am trying to set up a web service and a client for it which will communicate using SOAP messages
I want to authenticate both parties with a third party server and have it give out symmetric key to both of them
Both the service and client are Axis2/rampart based
I would prefer if the ticket/token request was done in SOAP
What kind of messaging does GSS-API use?

Thanks

caiyan said...

kobe shoes
hollister kids
ugg outlet
ugg outlet
polo outlet
converse trainers
canada goose outlet
longchamp uk
nike free flyknit
cheap oakleys
20611019ciyan

chenmeinv0 said...

adidas yeezy
thunder jerseys
knicks jerseys
kate spade outlet
hilfiger jeans
ray ban sunglasses
uggs outlet
ralph lauren kids
hollister outlet
ugg pas cher
2016.12.27xukaimin