Kerberos authentication with WSO2 ESB

0. Set up the Active Directory as the KDC as in my previous blog post.

1. Download WSO2 ESB 3.0.1 from here unzip and apply the patches patch0003 and patch0023.These patches are not publicly available - but will be added in to the future releases. If you interested, please contact us on

2. Create a file called krb.conf inside [ESB_HOME]\repository\conf and copy the following content to it.
        default_realm = WSO2.COM 
        default_tkt_enctypes = rc4-hmac 
        default_tgs_enctypes = rc4-hmac 
        dns_lookup_kdc = true 
        dns_lookup_realm = false 

        WSO2.COM = { 
            kdc =
Here, WSO2.COM is my root domain name of my Active Directory, which is acting as the KDC and is it's IP address - so you need to change them as per your setup. Make sure that you have default_realm all caps.

3. Create a file called jaas.conf inside [ESB_HOME]\repository\conf and copy the following content to it.
Server { required
Client { required
4. Start the WSO2 ESB

5. Apply security to the given proxy service [during this sample we select echo sample service which is already there by default]

6. Select 'Sign & Encrypt with Anonymous' from the Security Policy wizard.

7. After applying, edit the policy and replace both bindings with the content below.
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="kerberossignandencrypt"
  xmlns:wsp="" xmlns:wsu="">
      <sp:SymmetricBinding xmlns:sp="">
              <sp:KerberosToken sp:IncludeToken="">
      <sp:SignedParts xmlns:sp="">
      <sp:Wss11 xmlns:sp="">
      <sp:Trust10 xmlns:sp="">
      <rampart:RampartConfig xmlns:rampart="">
          <rampart:property name="service.principal.password">1qaz2wsx$</rampart:property>
          <rampart:property name="">true</rampart:property>
          <rampart:property name="">/Users/prabath/clients/wso2esb-3.0.1/repository/conf/krb.conf</rampart:property> 
You need to set your SPN password under service.principal.password and also the absolute path to krb.conf under

8. You can write the Java client to this service as explained in my previous blog post.