1 2 Previous Next 22 Replies Latest reply on Jun 26, 2008 6:26 AM by dlofthouse Go to original post
      • 15. Re: GSSAPI/Negotiate
        cdelashmutt

        So I now have a more reliable way to get groups for non-AD domains. I was able to hack up the jarapac 0.3.8 library to allow me to talk to the venerable SAM service via RPC to windows with pure Java. This gives me a way to map group ids to names without using LDAP. I could also use this as a backup method to get group names for the ids that we'll get from PAC with Kerberos.

        The next thing I think that needs to be tackled is getting PAC info out of the Kerberos authentication ticket. I'm thinking that I'll probably continue to hack up jcifs right now so that we can have a LoginModule that will work on JDK 1.3 as well.

        • 16. Re: GSSAPI/Negotiate
          senthilid14

          Sorry, I should not post here, but i badly need help

          Chris, why don't you help me
          http://www.jboss.com/index.html?module=bb&op=viewtopic&t=84095

          • 17. Re: GSSAPI/Negotiate
            j_ri

            here are some links:

            http://bofriis.dk/spnegoarticles.do
            At a different place on http://bofriis.dk you find instructions how to configure MS Active Directory. There is a problem about the encryption, because the Active Directory doesn't support 3DES, but only DES...and Java doesn't support RC4-HMAC, which ist the default in ADS (at least not until J2SE 6).


            http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx

            http://www-128.ibm.com/developerworks/java/library/j-gss-sso/

            http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

            the trick is to convert the SPNEGO-token into a kerberos-token...but that does the jCIFS-Extension from the WIKI for you.

            ...but at the moment I have big problems to configure our environment ourselves......

            have fun with the links...and be patient;-)
            Jochen

            P.S.: You really need 2 Computers......or VMWare

            • 18. Re: GSSAPI/Negotiate
              cdelashmutt

              just wanted to let anyone interested know that there was slight update made to the wiki detailing some configuration differences between using this plug in with a JBoss AS server installed via the ZIP file, versus the JBoss AS server installed via the JBoss Installer jar.

              You can view the updated instructions (basically just step 3) at http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos

              • 19. Re: GSSAPI/Negotiate
                markash

                Good Day,

                Does anyone has any pointers how I can get a Swing Application to use the Kerberos Login Module to pass the credentials to JBoss.

                On the client I have the following JAAS conf
                client {
                com.sun.security.auth.module.Krb5LoginModule optional useTicketCache=true doNotPrompt=true debug=true;
                };

                My client is authenticated but I have no way of communicating the credentials to the server login modules.

                Regards,
                Mark P Ashworth

                • 20. Re: GSSAPI/Negotiate
                  carstenklein

                  @Mark: We have implemented a KerberosLoginModule for JBoss, that can be used in a fat client szenario. How is works:
                  1. The client part of the LoginModule creates with the GSS-API a Kerberos Service Token for the Service Principal of the server. To get the Service Token, the GSS-API needs the Ticket-Granting-Ticket (TGT) of the user. The Standard Krb5LoginModule can be configured to get the TGT from cache - that is what you typically want.
                  2. The client part of the LoginModule encodes the Service Ticket in base64 and put the ticket into the credentials of the SecurityAssociation of JBoss - like a password.
                  3. The server part of the LoginModule decodes the Service Ticket.
                  4. The server part of the LoginModule validates the Service Ticket with the GSS-API. To validate the ticket, the GSS-API needs the private Service Key of the server. That is typically deployed in a keytab. The Standard Krb5LoginModule can be configured to obtain the Service Key from the keytab.

                  All that GSS-API and Kerberos stuff is well documented: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/index.html

                  @JBoss: What is about the SPNEGO/Kerberos support. I have not seen any production ready LoginModule yet. I am VERY interested in such an LoginModule for Tomcat and JBoss AppSrv.

                  Why do you investigate so much time in getting role / group informations from the active directory? In an enterprise context the active directory is an out-sourced infrastructure service. That is not the right place to define roles (other than infrastructure roles) for thousands of users and houndreds of applications!

                  I think it would be enough to autenticate a user with Kerberos and get the application roles from another (application specific) LoginModule - without authentication. So why should we make things more complicated?

                  • 21. Re: GSSAPI/Negotiate
                    nofreak

                    Hi,
                    we have similar implementation requirements for a fat client szenario.
                    1. The client part should get the TGT from cache
                    2. TGT should be send to JBoss
                    3. JBoss should get a Service Ticket from the AS Server with the aid of GSS-API
                    4. Service execution is secured

                    the first i have get working with the Krb5LoginModule, the second i should get work, but currently id dont know how i could get the third to work.
                    generelly i dont know whether its possible.
                    Is there a example how i can obtain the service Ticket from the AS Server with the aid from GSS-API?
                    @carstenKlein
                    can you give an example how it works?
                    it would be very helpfull

                    • 22. Re: GSSAPI/Negotiate
                      dlofthouse

                      For SPNEGO for web application please see the following post for information on the JBoss Negotiation project: -

                      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=137786

                      1 2 Previous Next