Topic
  • 3 replies
  • Latest Post - ‏2013-08-21T18:30:34Z by inestlerode
vishBrokerDP
vishBrokerDP
116 Posts

Pinned topic kerberos Authentication via cross domain Kerberos forest trust

‏2013-08-16T14:48:12Z | cross domain kerberos trust

Hi,

Requirement - We need to talk to kerberos secured service(backend) via DataPower.

Issue : When tried to generate ticket(kerberos token) for a service S in ABC domain via KDC in XYZ domain - it is failing.

Setup :

  1. Service S is secured in realm ABC (in ABC domain). 
  2. ABC domain, PQR domain  and XYZ domain form Kerberos Forest and they trust each other. 
  3. DP uses get-kerberos-apreq() method to generate ticket for backend. 
  4. Currently the parameters are passed for XYZ domain
    • SPN for XYZ domain
    • KeyTab generated for XYZ domain
    • clientPrinicpal for the XYZ
  5. This FAILS as invalid keyTab and clientPrincipal is used.
  6. When get-kerberos-apreq() issued for ABC domain with ABC keyTab and clientPrinipal it works.

Expectation : We should be able to generate kerberos token for a service in ABC domain via KDC in XYZ domain and ABC and XYZ have cross-domain trust, 

Some Findings : When debuged with packet capture, it is observed that get-kerberos-apreq() does not send options to forwardTicket etc.

So, used kerberos-get-apreq()method, with that option - NOT able to see the call in packet capture.

More ever, response (apreq) and kerberos-error , both are BLANK.

Not sure, why kerberos-get-apreq() is NOT being called properly.

Using 4.0.2.10 firmware version and I see a fix for kerberos-get-apreq() in 4.0.2.8 (http://www-01.ibm.com/support/docview.wss?uid=swg1IC83863)

So, I tend to believe the method is there and is callable in 4.0.2.10.

Questions :

1. Why kerberos-get-apreq() is NOT being called/ returning any results? ( in packet capture - do not see anything, DO NOT have chache enabled)

2. And how to make sure, token can be obtained for service in ABC realm via KDC in XYZ realm (with cross trust).

 

Kindly suggest/advice.

Updated on 2013-08-16T15:24:44Z at 2013-08-16T15:24:44Z by vishBrokerDP
  • vishBrokerDP
    vishBrokerDP
    116 Posts

    Re: kerberos Authentication via cross domain Kerberos forest trust

    ‏2013-08-19T20:02:57Z  

    Bumping and Rephrasing

    1. Need to generate Kerberos Token

    2. KDCs are in kerberos forest and they trush each other.

    3. DP is configured to talk to KDC#1 and Need to generate Ticket for KDC#2

    4. IF I configure KDC#2 - and generate ticket for it  - all is GOOD.

    5. Requirement is to have it through KDC#1 ( via Kerberos forest trust)

    6. Call to kerberos-get-apreq() with 4th parameter as 'option' as described in (http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fkerberos-get-apreq_cryptographicfunction.html)

    But that is NOT working as well.

    Firmware Version 4.0.2.10

     

    Kindly help/advice.

     

  • vishBrokerDP
    vishBrokerDP
    116 Posts

    Re: kerberos Authentication via cross domain Kerberos forest trust

    ‏2013-08-19T20:46:19Z  

    Bumping and Rephrasing

    1. Need to generate Kerberos Token

    2. KDCs are in kerberos forest and they trush each other.

    3. DP is configured to talk to KDC#1 and Need to generate Ticket for KDC#2

    4. IF I configure KDC#2 - and generate ticket for it  - all is GOOD.

    5. Requirement is to have it through KDC#1 ( via Kerberos forest trust)

    6. Call to kerberos-get-apreq() with 4th parameter as 'option' as described in (http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fkerberos-get-apreq_cryptographicfunction.html)

    But that is NOT working as well.

    Firmware Version 4.0.2.10

     

    Kindly help/advice.

     

    Well, it seems the 'kerberos-get-apreq()' is NOT there in the firmware 4.0.2.10

    It has been introduced in firmware version 6.0.0.0

    (http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fkerberos-get-apreq_cryptographicfunction.html)

    So I guess, need to upgrade the firmware version first and then do the rest of testing.

  • inestlerode
    inestlerode
    166 Posts

    Re: kerberos Authentication via cross domain Kerberos forest trust

    ‏2013-08-21T18:30:34Z  

    Well, it seems the 'kerberos-get-apreq()' is NOT there in the firmware 4.0.2.10

    It has been introduced in firmware version 6.0.0.0

    (http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Fkerberos-get-apreq_cryptographicfunction.html)

    So I guess, need to upgrade the firmware version first and then do the rest of testing.

    The Kerberos extension functions were renamed in 6.0.0.0.  In previous releases dp:kerberos-get-apreq() was called dp:get-kerberos-apreq().

    None of the DataPower firmware releases support cross-realm Kerberos operations.