I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a customer 
environment.

Were you successful?

Thanks
Oli



------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Andrei Shakirin [[email protected]]
Sent: 07 October 2013 09:18
To: [email protected]
Cc: [email protected]
Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC

Hi,

I never tried that under AD, not sure if Colm has some experience.
JDK provides JAAS Login module for Windows as well 
(com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it 
should work.

I would suggest to start from very simple case, not involving CXF at all on the 
first step:

jaas.conf:
alice {
    com.sun.security.auth.module.Krb5LoginModule required
    debug=true
    useTicketCache=true;
};

public class JaasLoginTest {

    public static void main(String argv[]) {
        URL conf = 
JaasLoginTest.class.getClassLoader().getResource("jaas.conf");
        System.setProperty("java.security.auth.login.config", conf.toString());

        // Only needed when not using the ticket cache
        CallbackHandler callbackHandler = new CallbackHandler() {

            @Override
            public void handle(Callback[] callbacks) throws IOException, 
UnsupportedCallbackException {
                for (Callback callback : callbacks) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback)callback).setName("alice");
                    }
                    if (callback instanceof PasswordCallback) {
                        
((PasswordCallback)callback).setPassword("clarinet".toCharArray());
                    }
                }

            }
        };

        try {
            LoginContext lc = new LoginContext("alice", callbackHandler);
            lc.login();
            Subject subject = lc.getSubject();
            Set<Principal> principals = subject.getPrincipals();
            Set<Object> credentials = subject.getPrivateCredentials();
            System.out.println("OK: " + principals);
            System.out.println("OK: " + credentials);
        } catch (LoginException e) {
            e.printStackTrace();
        }
    }

Code tries Kerberos logon with user alice and password clarinet.
After you get it works, you can try further steps with CXF.

Regards,
Andrei.

> -----Original Message-----
> From: sinma [mailto:[email protected]]
> Sent: Samstag, 5. Oktober 2013 13:09
> To: [email protected]
> Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC
>
> Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way
> they are setting service principal in AD is not the same as MIT Krb5 that Colm
> laid out in his blog - I personally believe MIT way is pretty straight forward
> and clear. So steps in Colm's blog are not enough to get it working with
> Microsoft AD as KDC. On top Microsoft adding their own PAC part to the
> ticket which it seems adding issues to ticket validation - am not sure about 
> it
> yet. There must be couple tricks and tweaks in spn setup; I'm still digging in
> and will share if I can find it. I was just checking and hoping somebody tried
> MS Krb5 implementation and have it working with WSS4J/CXF. It seems the
> answer is no, at least in CXF community.  Regards,Sin
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-
> Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html
> Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to