I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a customer environment.
Were you successful? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Andrei Shakirin [[email protected]] Sent: 07 October 2013 09:18 To: [email protected] Cc: [email protected] Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC Hi, I never tried that under AD, not sure if Colm has some experience. JDK provides JAAS Login module for Windows as well (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it should work. I would suggest to start from very simple case, not involving CXF at all on the first step: jaas.conf: alice { com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true; }; public class JaasLoginTest { public static void main(String argv[]) { URL conf = JaasLoginTest.class.getClassLoader().getResource("jaas.conf"); System.setProperty("java.security.auth.login.config", conf.toString()); // Only needed when not using the ticket cache CallbackHandler callbackHandler = new CallbackHandler() { @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback) { ((NameCallback)callback).setName("alice"); } if (callback instanceof PasswordCallback) { ((PasswordCallback)callback).setPassword("clarinet".toCharArray()); } } } }; try { LoginContext lc = new LoginContext("alice", callbackHandler); lc.login(); Subject subject = lc.getSubject(); Set<Principal> principals = subject.getPrincipals(); Set<Object> credentials = subject.getPrivateCredentials(); System.out.println("OK: " + principals); System.out.println("OK: " + credentials); } catch (LoginException e) { e.printStackTrace(); } } Code tries Kerberos logon with user alice and password clarinet. After you get it works, you can try further steps with CXF. Regards, Andrei. > -----Original Message----- > From: sinma [mailto:[email protected]] > Sent: Samstag, 5. Oktober 2013 13:09 > To: [email protected] > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC > > Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The way > they are setting service principal in AD is not the same as MIT Krb5 that Colm > laid out in his blog - I personally believe MIT way is pretty straight forward > and clear. So steps in Colm's blog are not enough to get it working with > Microsoft AD as KDC. On top Microsoft adding their own PAC part to the > ticket which it seems adding issues to ticket validation - am not sure about > it > yet. There must be couple tricks and tweaks in spn setup; I'm still digging in > and will share if I can find it. I was just checking and hoping somebody tried > MS Krb5 implementation and have it working with WSS4J/CXF. It seems the > answer is no, at least in CXF community. Regards,Sin > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J- > Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html > Sent from the cxf-user mailing list archive at Nabble.com.
