Hi, No. Would it be possible to share setup steps? Best Regards, Sinma
On Mon, Nov 18, 2013 at 3:14 PM, Oliver Wulff-2 [via CXF] < [email protected]> wrote: > I've got Kerberos with CXF/WSS4J and STS for Microsoft AD running in a > customer environment. > > Were you successful? > > Thanks > Oli > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > From: Andrei Shakirin [[hidden > email]<http://user/SendEmail.jtp?type=node&node=5736504&i=0>] > > Sent: 07 October 2013 09:18 > To: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=1> > Cc: [hidden email] <http://user/SendEmail.jtp?type=node&node=5736504&i=2> > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC > > Hi, > > I never tried that under AD, not sure if Colm has some experience. > JDK provides JAAS Login module for Windows as well > (com.sun.security.auth.module.Krb5LoginModule), therefore I thought that it > should work. > > I would suggest to start from very simple case, not involving CXF at all > on the first step: > > jaas.conf: > alice { > com.sun.security.auth.module.Krb5LoginModule required > debug=true > useTicketCache=true; > }; > > public class JaasLoginTest { > > public static void main(String argv[]) { > URL conf = > JaasLoginTest.class.getClassLoader().getResource("jaas.conf"); > System.setProperty("java.security.auth.login.config", > conf.toString()); > > // Only needed when not using the ticket cache > CallbackHandler callbackHandler = new CallbackHandler() { > > @Override > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > for (Callback callback : callbacks) { > if (callback instanceof NameCallback) { > ((NameCallback)callback).setName("alice"); > } > if (callback instanceof PasswordCallback) { > > ((PasswordCallback)callback).setPassword("clarinet".toCharArray()); > } > } > > } > }; > > try { > LoginContext lc = new LoginContext("alice", callbackHandler); > lc.login(); > Subject subject = lc.getSubject(); > Set<Principal> principals = subject.getPrincipals(); > Set<Object> credentials = subject.getPrivateCredentials(); > System.out.println("OK: " + principals); > System.out.println("OK: " + credentials); > } catch (LoginException e) { > e.printStackTrace(); > } > } > > Code tries Kerberos logon with user alice and password clarinet. > After you get it works, you can try further steps with CXF. > > Regards, > Andrei. > > > -----Original Message----- > > From: sinma [mailto:[hidden > > email]<http://user/SendEmail.jtp?type=node&node=5736504&i=3>] > > > Sent: Samstag, 5. Oktober 2013 13:09 > > To: [hidden email]<http://user/SendEmail.jtp?type=node&node=5736504&i=4> > > Subject: RE: CXF, WSS4J, Kerberos using Microsoft AD as KDC > > > > Hi Andrei,Thanks for reply. Kerberos setup is native in microsoft. The > way > > they are setting service principal in AD is not the same as MIT Krb5 > that Colm > > laid out in his blog - I personally believe MIT way is pretty straight > forward > > and clear. So steps in Colm's blog are not enough to get it working with > > Microsoft AD as KDC. On top Microsoft adding their own PAC part to the > > ticket which it seems adding issues to ticket validation - am not sure > about it > > yet. There must be couple tricks and tweaks in spn setup; I'm still > digging in > > and will share if I can find it. I was just checking and hoping somebody > tried > > MS Krb5 implementation and have it working with WSS4J/CXF. It seems the > > answer is no, at least in CXF community. Regards,Sin > > > > > > > > -- > > View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J- > > Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5734769.html > > Sent from the cxf-user mailing list archive at Nabble.com. > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736504.html > To unsubscribe from CXF, WSS4J, Kerberos using Microsoft AD as KDC, click > here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5734586&code=c2lubWEuYmFiZWxAZ21haWwuY29tfDU3MzQ1ODZ8MTg2NzUzMDc1NQ==> > . > NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-Kerberos-using-Microsoft-AD-as-KDC-tp5734586p5736913.html Sent from the cxf-user mailing list archive at Nabble.com.
