You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by sinma <si...@gmail.com> on 2013/09/28 21:38:00 UTC
CXF, WSS4J, Kerberos using Microsoft AD as KDC
Hi,This great blog is using MIT KDC on Ubuntu:
http://coheigea.blogspot.ca/2011/10/using-kerberos-with-web-services-part-i.htmlI
was wondering if there is any reference to do exact same thing using
Microsoft Active Directory as a KDC.any help will be highly appreciated,Kind
Regards,Sinma
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by Oliver Wulff <ow...@talend.com>.
Hi there
I've the following configurations:
Here the jaas.conf:
STS {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/app/sts/container/conf/sts.keytab"
principal="HTTP/mymachine.mydomain.com:8443";
};
ensure that the JAVA_OPTS variable contains the definition for the jaas.conf file location:
JAVA_OPTS="-Dsun.security.krb5.debug=false -Djava.security.auth.login.config=/app/sts/container/conf/jaas.conf"
export JAVA_OPTS
Ensure the kerberos service principal is set up in AD/KDC.
Here the STS related spring configuration:
<bean id="kerberosValidator" class="org.apache.ws.security.validate.KerberosTokenValidator">
<property name="contextName" value="STS" />
<property name="serviceName" value="HTTP@mymachine.mydomain.com:8443" />
</bean>
<jaxws:endpoint id="transportSTSKT" implementor="#transportSTSProviderBean"
address="/STSServiceTransportKerberos" wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
serviceName="ns1:SecurityTokenService" endpointName="ns1:TransportKerberos_Port">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="demo.PasswordCallbackHandler" />
<entry key="ws-security.bst.validator" value-ref="kerberosValidator" />
</jaxws:properties>
</jaxws:endpoint>
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: sinma [sinma.babel@gmail.com]
Sent: 23 November 2013 01:32
To: users@cxf.apache.org
Subject: Re: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Hi,
No. Would it be possible to share setup steps?
Best Regards,
Sinma
On Mon, Nov 18, 2013 at 3:14 PM, Oliver Wulff-2 [via CXF] <
ml-node+s547215n5736504h8@n5.nabble.com> wrote:
> I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a
> customer environment.
>
> Were you successful?
>
> Thanks
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Andrei Shakirin [[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=0>]
>
> Sent: 07 October 2013 09:18
> To: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=1>
> Cc: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=2>
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi,
>
> I never tried that under AD, not sure if Colm has some experience.
> JDK provides JAAS Login module for Windows as well
> (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it
> should work.
>
> I would suggest to start from very simple case, not involving CXF at all
> on the first step:
>
> jaas.conf:
> alice {
> com.sun.security.auth.module.Krb5LoginModule required
> debug=true
> useTicketCache=true;
> };
>
> public class JaasLoginTest {
>
> public static void main(String argv[]) {
> URL conf =
> JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
> System.setProperty("java.security.auth.login.config",
> conf.toString());
>
> // Only needed when not using the ticket cache
> CallbackHandler callbackHandler = new CallbackHandler() {
>
> @Override
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (Callback callback : callbacks) {
> if (callback instanceof NameCallback) {
> ((NameCallback)callback).setName("alice");
> }
> if (callback instanceof PasswordCallback) {
>
> ((PasswordCallback)callback).setPassword("clarinet".toCharArray());
> }
> }
>
> }
> };
>
> try {
> LoginContext lc = new LoginContext("alice", callbackHandler);
> lc.login();
> Subject subject = lc.getSubject();
> Set<Principal> principals = subject.getPrincipals();
> Set<Object> credentials = subject.getPrivateCredentials();
> System.out.println("OK: " + principals);
> System.out.println("OK: " + credentials);
> } catch (LoginException e) {
> e.printStackTrace();
> }
> }
>
> Code tries Kerberos logon with user alice and password clarinet.
> After you get it works, you can try further steps with CXF.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: sinma [mailto:[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=3>]
>
> > Sent: Samstag, 5. Oktober 2013 13:09
> > To: [hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=4>
> > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
> >
> > Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The
> way
> > they are setting service principal in AD is not the same as MIT Krb5
> that Colm
> > laid out in his blog - I personally believe MIT way is pretty straight
> forward
> > and clear. So steps in Colm's blog are not enough to get it working with
> > Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> > ticket which it seems adding issues to ticket validation - am not sure
> about it
> > yet. There must be couple tricks and tweaks in spn setup; I'm still
> digging in
> > and will share if I can find it. I was just checking and hoping somebody
> tried
> > MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> > answer is no, at least in CXF community. Regards,Sin
> >
> >
> >
> > --
> > View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> > Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736504.html
> To unsubscribe from CXF, WSS4J, Kerberos using Microsoft AD as KDC, click
> here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5734586&code=c2lubWEuYmFiZWxAZ21haWwuY29tfDU3MzQ1ODZ8MTg2NzUzMDc1NQ==>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736913.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by sinma <si...@gmail.com>.
Hi,
No. Would it be possible to share setup steps?
Best Regards,
Sinma
On Mon, Nov 18, 2013 at 3:14 PM, Oliver Wulff-2 [via CXF] <
ml-node+s547215n5736504h8@n5.nabble.com> wrote:
> I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a
> customer environment.
>
> Were you successful?
>
> Thanks
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Andrei Shakirin [[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=0>]
>
> Sent: 07 October 2013 09:18
> To: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=1>
> Cc: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=2>
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi,
>
> I never tried that under AD, not sure if Colm has some experience.
> JDK provides JAAS Login module for Windows as well
> (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it
> should work.
>
> I would suggest to start from very simple case, not involving CXF at all
> on the first step:
>
> jaas.conf:
> alice {
> com.sun.security.auth.module.Krb5LoginModule required
> debug=true
> useTicketCache=true;
> };
>
> public class JaasLoginTest {
>
> public static void main(String argv[]) {
> URL conf =
> JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
> System.setProperty("java.security.auth.login.config",
> conf.toString());
>
> // Only needed when not using the ticket cache
> CallbackHandler callbackHandler = new CallbackHandler() {
>
> @Override
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (Callback callback : callbacks) {
> if (callback instanceof NameCallback) {
> ((NameCallback)callback).setName("alice");
> }
> if (callback instanceof PasswordCallback) {
>
> ((PasswordCallback)callback).setPassword("clarinet".toCharArray());
> }
> }
>
> }
> };
>
> try {
> LoginContext lc = new LoginContext("alice", callbackHandler);
> lc.login();
> Subject subject = lc.getSubject();
> Set<Principal> principals = subject.getPrincipals();
> Set<Object> credentials = subject.getPrivateCredentials();
> System.out.println("OK: " + principals);
> System.out.println("OK: " + credentials);
> } catch (LoginException e) {
> e.printStackTrace();
> }
> }
>
> Code tries Kerberos logon with user alice and password clarinet.
> After you get it works, you can try further steps with CXF.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: sinma [mailto:[hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=3>]
>
> > Sent: Samstag, 5. Oktober 2013 13:09
> > To: [hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=4>
> > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
> >
> > Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The
> way
> > they are setting service principal in AD is not the same as MIT Krb5
> that Colm
> > laid out in his blog - I personally believe MIT way is pretty straight
> forward
> > and clear. So steps in Colm's blog are not enough to get it working with
> > Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> > ticket which it seems adding issues to ticket validation - am not sure
> about it
> > yet. There must be couple tricks and tweaks in spn setup; I'm still
> digging in
> > and will share if I can find it. I was just checking and hoping somebody
> tried
> > MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> > answer is no, at least in CXF community. Regards,Sin
> >
> >
> >
> > --
> > View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> > Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736504.html
> To unsubscribe from CXF, WSS4J, Kerberos using Microsoft AD as KDC, click
> here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5734586&code=c2lubWEuYmFiZWxAZ21haWwuY29tfDU3MzQ1ODZ8MTg2NzUzMDc1NQ==>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736913.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by Oliver Wulff <ow...@talend.com>.
I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a customer environment.
Were you successful?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Andrei Shakirin [ashakirin@talend.com]
Sent: 07 October 2013 09:18
To: users@cxf.apache.org
Cc: sinma.babel@gmail.com
Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Hi,
I never tried that under AD, not sure if Colm has some experience.
JDK provides JAAS Login module for Windows as well (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it should work.
I would suggest to start from very simple case, not involving CXF at all on the first step:
jaas.conf:
alice {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useTicketCache=true;
};
public class JaasLoginTest {
public static void main(String argv[]) {
URL conf = JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("alice", callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Code tries Kerberos logon with user alice and password clarinet.
After you get it works, you can try further steps with CXF.
Regards,
Andrei.
> -----Original Message-----
> From: sinma [mailto:sinma.babel@gmail.com]
> Sent: Samstag, 5. Oktober 2013 13:09
> To: users@cxf.apache.org
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way
> they are setting service principal in AD is not the same as MIT Krb5 that Colm
> laid out in his blog - I personally believe MIT way is pretty straight forward
> and clear. So steps in Colm's blog are not enough to get it working with
> Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> ticket which it seems adding issues to ticket validation - am not sure about it
> yet. There must be couple tricks and tweaks in spn setup; I'm still digging in
> and will share if I can find it. I was just checking and hoping somebody tried
> MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> answer is no, at least in CXF community. Regards,Sin
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
I never tried that under AD, not sure if Colm has some experience.
JDK provides JAAS Login module for Windows as well (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it should work.
I would suggest to start from very simple case, not involving CXF at all on the first step:
jaas.conf:
alice {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useTicketCache=true;
};
public class JaasLoginTest {
public static void main(String argv[]) {
URL conf = JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("alice", callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Code tries Kerberos logon with user alice and password clarinet.
After you get it works, you can try further steps with CXF.
Regards,
Andrei.
> -----Original Message-----
> From: sinma [mailto:sinma.babel@gmail.com]
> Sent: Samstag, 5. Oktober 2013 13:09
> To: users@cxf.apache.org
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way
> they are setting service principal in AD is not the same as MIT Krb5 that Colm
> laid out in his blog - I personally believe MIT way is pretty straight forward
> and clear. So steps in Colm's blog are not enough to get it working with
> Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> ticket which it seems adding issues to ticket validation - am not sure about it
> yet. There must be couple tricks and tweaks in spn setup; I'm still digging in
> and will share if I can find it. I was just checking and hoping somebody tried
> MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> answer is no, at least in CXF community. Regards,Sin
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by sinma <si...@gmail.com>.
Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way
they are setting service principal in AD is not the same as MIT Krb5 that
Colm laid out in his blog - I personally believe MIT way is pretty straight
forward and clear. So steps in Colm's blog are not enough to get it working
with Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
ticket which it seems adding issues to ticket validation - am not sure about
it yet. There must be couple tricks and tweaks in spn setup; I'm still
digging in and will share if I can find it. I was just checking and hoping
somebody tried MS Krb5 implementation and have it working with WSS4J/CXF. It
seems the answer is no, at least in CXF community. Regards,Sin
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
Basically WS-Security policy and Kerberos JAAS Login module is configured the same way as under Linux, so you can reuse all topics in (2) "Running the Kerberos system tests in Apache CXF " from the Colm's blog.
Only the problem is to configure AD Kerberos server, you should refer Microsoft documentation for that.
Regards,
Andrei.
> -----Original Message-----
> From: sinma [mailto:sinma.babel@gmail.com]
> Sent: Samstag, 28. September 2013 21:38
> To: users@cxf.apache.org
> Subject: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi,This great blog is using MIT KDC on Ubuntu:
> http://coheigea.blogspot.ca/2011/10/using-kerberos-with-web-services-
> part-i.htmlI
> was wondering if there is any reference to do exact same thing using
> Microsoft Active Directory as a KDC.any help will be highly appreciated,Kind
> Regards,Sinma
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> Kerberos-using-Microsoft-AD-as-KDC-tp5734586.html
> Sent from the cxf-user mailing list archive at Nabble.com.