Search code examples
javaauthenticationkerberosjaaswebsphere-7

Authenticate application users using Kerberos and WAS7

I am struggling for a while to put things head to head and solve this issue but with no luck. I am trying to authenticate my java application users through AD using Kerberos. I have created the KDC as below:

[libdefaults]
default_realm = X.LOCAL
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96 
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96 
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96 

[realms]
X.LOCAL = {
kdc = machine_name.X.LOCAL 
default_domain = X.LOCAL 
}

[domain_realm]
.X.LOCAL = X.LOCAL

I have defined a new realm as follows: • Global security>JAAS – Application logins • Created a new login named “client” and allocated the com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient resource.

At code level I am setting the path for the KDC: System.setProperty(java.security.krb5.conf, “KDC” path);

Trying to login:

loginContext = new LoginContext(moduleName, getUsernamePasswordHandler(userName, secret));
loginContext.login();

I am getting:

Login error: com.ibm.security.krb5.KrbException, status code: 14 message: KDC has no support for encryption type

You will say that the encryption type is not supported :) I know.

Q: 1)What am I missing?(stuck here for over 1 week) 2)What am I doing wrong?

Thank you for your time.

Solution

  • Before I will answer to your question, you have to clean up your config an retry again:

    1. Omit *_enctypes and let both negotiate the best enctype.
    2. Do not set the property from inside the app. Pass the krb5.conf location and a env property. This gives you full flexibity.
    3. You should rather work with a ticket cache or a keytab. There is no point to request the credentials over again from the client. This would make Kerberos superfluous. You log in into the OS just once and use the ticket cache.
    4. Do not use DES encryption, it is unsafe and is deprecated.
    5. Make sure that the TGT you have has at least RC4 (Arcfour) encryption.

    Your problem is probably this:

    AD is Windows Server 2008 which has DES disabled but you allow to use DES. This won't work. DES is disabled in 2008 for a good reason OR your client sends the initial request with AES in the enctypes list on top. A Windows Server 2003 is not capable to deal with that. The most common denominator is RC4-HMAC.

    Use Wireshark to inspect the traffic. This will help you to understand the issue and Kerberos in general tremendously. Write an isolated test program which will help you as a proof of concept.