Requirement - We need to talk to kerberos secured service(backend) via DataPower.
Issue : When tried to generate ticket(kerberos token) for a service S in ABC domain via KDC in XYZ domain - it is failing.
- Service S is secured in realm ABC (in ABC domain).
- ABC domain, PQR domain and XYZ domain form Kerberos Forest and they trust each other.
- DP uses get-kerberos-apreq() method to generate ticket for backend.
Currently the parameters are passed for XYZ domain
- SPN for XYZ domain
- KeyTab generated for XYZ domain
- clientPrinicpal for the XYZ
- This FAILS as invalid keyTab and clientPrincipal is used.
- When get-kerberos-apreq() issued for ABC domain with ABC keyTab and clientPrinipal it works.
Expectation : We should be able to generate kerberos token for a service in ABC domain via KDC in XYZ domain and ABC and XYZ have cross-domain trust,
Some Findings : When debuged with packet capture, it is observed that get-kerberos-apreq() does not send options to forwardTicket etc.
So, used kerberos-get-apreq()method, with that option - NOT able to see the call in packet capture.
More ever, response (apreq) and kerberos-error , both are BLANK.
Not sure, why kerberos-get-apreq() is NOT being called properly.
Using 220.127.116.11 firmware version and I see a fix for kerberos-get-apreq() in 18.104.22.168 (http://www-01.ibm.com/support/docview.wss?uid=swg1IC83863)
So, I tend to believe the method is there and is callable in 22.214.171.124.
1. Why kerberos-get-apreq() is NOT being called/ returning any results? ( in packet capture - do not see anything, DO NOT have chache enabled)
2. And how to make sure, token can be obtained for service in ABC realm via KDC in XYZ realm (with cross trust).