Hi,
I never tried that under AD, not sure if Colm has some experience.
JDK provides JAAS Login module for Windows as well
(com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it
should work.
I would suggest to start from very simple case, not involving CXF at all on the
first step:
jaas.conf:
alice {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useTicketCache=true;
};
public class JaasLoginTest {
public static void main(String argv[]) {
URL conf =
JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", conf.toString());
// Only needed when not using the ticket cache
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback)callback).setName("alice");
}
if (callback instanceof PasswordCallback) {
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
}
}
}
};
try {
LoginContext lc = new LoginContext("alice", callbackHandler);
lc.login();
Subject subject = lc.getSubject();
Set<Principal> principals = subject.getPrincipals();
Set<Object> credentials = subject.getPrivateCredentials();
System.out.println("OK: " + principals);
System.out.println("OK: " + credentials);
} catch (LoginException e) {
e.printStackTrace();
}
}
Code tries Kerberos logon with user alice and password clarinet.
After you get it works, you can try further steps with CXF.
Regards,
Andrei.
> -----Original Message-----
> From: sinma [mailto:[email protected]]
> Sent: Samstag, 5. Oktober 2013 13:09
> To: [email protected]
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way
> they are setting service principal in AD is not the same as MIT Krb5 that Colm
> laid out in his blog - I personally believe MIT way is pretty straight forward
> and clear. So steps in Colm's blog are not enough to get it working with
> Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> ticket which it seems adding issues to ticket validation - am not sure about
> it
> yet. There must be couple tricks and tweaks in spn setup; I'm still digging in
> and will share if I can find it. I was just checking and hoping somebody tried
> MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> answer is no, at least in CXF community. Regards,Sin
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> Sent from the cxf-user mailing list archive at Nabble.com.
