{"id":6716,"date":"2012-11-13T14:12:58","date_gmt":"2012-11-13T19:12:58","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=6716"},"modified":"2013-07-28T14:11:23","modified_gmt":"2013-07-28T19:11:23","slug":"javase-6-http-authentication","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=6716","title":{"rendered":"Windows Kerberos Authentication with java.net.Authenticator"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tOverview<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tHttp Authentication<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tjava.net.Authenticator<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    3. \n\t\tAuthentication Schemes<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tHttp Basic<\/a>\n\t\t\t<\/li>\n\t\t\t
      2. \n\t\t\t\tHttp Digest<\/a>\n\t\t\t<\/li>\n\t\t\t
      3. \n\t\t\t\tNTLM<\/a>\n\t\t\t<\/li>\n\t\t\t
      4. \n\t\t\t\tSPNEGO<\/a>\n\t\t\t\t
          \n\t\t\t\t\t
        1. \n\t\t\t\t\t\tKerberos 5 Configuration<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t
        2. \n\t\t\t\tIIS Kerberos Only Authentication Example<\/a>\n\t\t\t\t
            \n\t\t\t\t\t
          1. \n\t\t\t\t\t\tDomain Controller<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          2. \n\t\t\t\t\t\tIIS Server<\/a>\n\t\t\t\t\t\t
              \n\t\t\t\t\t\t\t
            1. \n\t\t\t\t\t\t\t\tConfigure IIS<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
            2. \n\t\t\t\t\t\t\t\tSetup SPN for IIS HTTP<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n\t\t\t\t\t
            3. \n\t\t\t\t\t\tClient Machine<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            4. \n\t\t\t\t\t\tJava App: RunHttpSpnego.java<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            5. \n\t\t\t\t\t\tKerberos config: krb5.conf<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            6. \n\t\t\t\t\t\tJAAS Config: login.conf<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            7. \n\t\t\t\t\t\tCompile and run:<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
            8. \n\t\t\t\tCaveats<\/a>\n\t\t\t\t
                \n\t\t\t\t\t
              1. \n\t\t\t\t\t\tWindows 2008 Domain Controller<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
              2. \n\t\t\t\tTools<\/a>\n\t\t\t\t
                  \n\t\t\t\t\t
                1. \n\t\t\t\t\t\tWindows klist.exe<\/em><\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                2. \n\t\t\t\t\t\tMIT Kerberos for Windows<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                3. \n\t\t\t\t\t\tSync Time with Windows Server<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                4. \n\t\t\t\tReferences<\/a>\n\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                   <\/div>\n

                  Overview<\/h2><\/span>\n

                  Http Authentication<\/h3><\/span>\n

                  * Java SE supports:
                  \n– HTTP Basic authentication
                  \n– HTTP Digest authentication
                  \n– NTLM
                  \n– Http SPNEGO Negotiate with Kerberos and NTLM
                  \n* Uses java.net.Authenticator to
                  \n– enable authentication
                  \n– provide access to a store of usernames and passwords
                  \n* Work with both proxies and servers<\/p>\n

                  java.net.Authenticator<\/h3><\/span>\n

                  * Is an abstract class.
                  \n* Represents an object that knows how to obtain authentication for a network connection, usually by prompting user for information.<\/p>\n

                  \"\"<\/a><\/h6><\/span>\n

                  * Subclasses override
                  \n– getPasswordAuthentication()<\/em> to acquire username and password.
                  \n– setDefault(Authenticator)<\/em> to register with the system and enable<\/strong> autehntication.
                  \n* Example:<\/p>\n

                  \r\n    class MyAuthenticator extends Authenticator {\r\n\r\n        public PasswordAuthentication getPasswordAuthentication () {\r\n            return new PasswordAuthentication (\"user\", \"pass1\".toCharArray());\r\n        }\r\n    }\r\n<\/pre>\n
                  * Another example: http:\/\/nextmidas.techma.com\/nm\/nxm\/sys\/net\/HttpAuthenticator.java<\/a>
                  \n* Choose witch authentication scheme is used:
                  \n– By default, the implementation chosses the most secure protocol transparently.
                  \n– Can be overridden with -Dhttp.auth.preference=”scheme”<\/em> system property.<\/p>\n
                  Authentication Schemes<\/h2><\/span>\n
                  * Scheme preference: GSS\/SPNEGO -> Digest -> NTLM -> Basic<\/em>
                  \n* Specify no fallback with system proprety: http.auth.preference<\/em><\/p>\n
                  Http Basic<\/h3><\/span>\n
                  * Not secure
                  \n* Defined in RFC 2317
                  \n* Username and password are encoded in base64
                  \n* getRequestingPrompt()<\/em> returns the basic authentication realm as provided by the server<\/p>\n
                  Http Digest<\/h3><\/span>\n
                  * More secure than Basic.
                  \n* Username and password are hashed with MD5
                  \n* Turn on mutual authentication:<\/p>\n
                  \r\n  -Dhttp.auth.digest.validateServer=\"true\"\r\n  -Dhttp.auth.digest.validateProxy=\"true\"\r\n<\/pre>\n
                  NTLM<\/h3><\/span>\n
                  * More secure than Basic, but less secure than Digest.
                  \n* Can be used with proxies or servers, but not<\/strong> both at the same time.
                  \n* Specify domain name:
                  \n– Prefix username with domain name followed by a backslash: domainName\\username<\/em>
                  \n– Use system property: http.auth.ntlm.domain<\/em><\/p>\n
                  SPNEGO<\/h3><\/span>\n
                  * Negotiate scheme
                  \n* Only supports
                  \n– NTLM
                  \n– Kerberos<\/p>\n
                  Kerberos 5 Configuration<\/h4><\/span>\n
                  * Use java.security.krb5.conf<\/em> system property to point to Kerberos 5 configurations<\/p>\n
                  \r\njava -Djava.security.krb5.conf=krb5.conf ...\r\n<\/pre>\n
                  or programmatically:<\/p>\n
                  \r\nSystem.setProperty(\"java.security.krb5.conf\", \"kbr5.conf\");\r\n<\/pre>\n
                  * Use com.sun.security.jgss.krb5.initiate<\/em> entry in JAAS login config file to config which login moduel to use:<\/p>\n
                  \r\n  com.sun.security.jgss.krb5.initiate {\r\n      com.sun.security.auth.module.Krb5LoginModule\r\n      ...\r\n  };\r\n<\/pre>\n
                  IIS Kerberos Only Authentication Example<\/h2><\/span>\n
                  Domain Controller<\/h3><\/span>\n
                  * Windows 2003 SP1 Enterprise Server
                  \n– Computer name: DC01<\/em>
                  \n– AD Domain name: MYTEST.local<\/em>
                  \n– NetBIOS domain name: MYTEST<\/em>
                  \n* Admin User:
                  \n– Administrator\/Welcome1
                  \n* Client user domain name:
                  \n– Jimmy.Li@MYTEST.local<\/em>\/Password1<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Application domain name (under which IIS runs as):
                  \n– App.Service@MYTEST.local<\/em>\/Password1<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  IIS Server<\/h3><\/span>\n
                  * Windows 7
                  \n– Computer name: WIN7X64NOV3<\/em>
                  \n* Local User:
                  \n– Jimmy<\/em>\/Password1
                  \n* Login as domain User (otherwise cannot start IIS?):
                  \n– Administrator<\/em>\/Welcome1
                  \n* IIS run as service account:
                  \n– App.Service@MYTEST.local<\/em>\/Password1<\/p>\n
                  Configure IIS<\/h4><\/span>\n
                  * Install IIS for Win 7:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Enable Kerberos only authentication:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Run IIS DefaultAppPool as an application user, e.g. App.Service<\/em><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  Setup SPN for IIS HTTP<\/h4><\/span>\n
                  * Login domain controller.
                  \n* Issue setspn<\/em> commands:<\/p>\n
                  \r\n# Add\r\nsetspn -A HTTP\/win7x64nov3 MYTEST\\App.Service\r\nsetspn -A HTTP\/win7x64nov3.mytest.local MYTEST\\App.Service\r\n\r\n# List\r\nsetspn -L App.Service\r\n\r\n# Delete when not needed anymore\r\nsetspn -D HTTP\/win7x64nov3 MYTEST\\App.Service\r\nsetspn -D HTTP\/win7x64nov3.mytest.local MYTEST\\App.Service\r\n<\/pre>\n
                  * See http:\/\/support.microsoft.com\/?id=871179<\/a> for setspn command help.<\/p>\n
                  Client Machine<\/h3><\/span>\n
                  * Turn on allowtgtsessionkey<\/em> in registry. Otherwise you’ll get Integrity check on decrypted field failed<\/em> error, because no TGT ticket could be read from LSA cache when you specify userTicketCache=true<\/em> in the login.conf file.<\/p>\n
                  \r\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters\r\nValue Name: allowtgtsessionkey\r\nValue Type: REG_DWORD\r\nValue: 0x01\r\n<\/pre>\n
                  * Also, for Windows 2008 domain, client user cannot<\/em> be in domain administrator group. If you login client machine with a user who is in domain administrator group, you’ll need elevated privileges in order to read LSA ticket cache.<\/p>\n
                  Java App: RunHttpSpnego.java<\/h3><\/span>\n
                  \r\npackage test.http.auth.one;\r\n\r\nimport java.io.BufferedReader;\r\nimport java.io.IOException;\r\nimport java.io.InputStream;\r\nimport java.io.InputStreamReader;\r\nimport java.net.Authenticator;\r\nimport java.net.MalformedURLException;\r\nimport java.net.PasswordAuthentication;\r\nimport java.net.URL;\r\n\r\npublic class RunHttpSpnego {\r\n\r\n  static final String kuser = \"jdoe\"; \/\/ your account name\r\n  static final String kpass = \"SecretPassword\"; \/\/ your password for the account\r\n\r\n  static class MyAuthenticator extends Authenticator {\r\n    public PasswordAuthentication getPasswordAuthentication() {\r\n      \/\/ I haven't checked getRequestingScheme() here, since for NTLM\r\n      \/\/ and Negotiate, the usrname and password are all the same.\r\n      System.err.println(\"Feeding username and password for \"\r\n          + getRequestingScheme());\r\n      return (new PasswordAuthentication(kuser, kpass.toCharArray()));\r\n    }\r\n  }\r\n\r\n  public static void main(String[] args) throws Exception {\r\n    Authenticator.setDefault(new MyAuthenticator());\r\n    readUrl(args);\r\n    System.out.println(\"################################\");\r\n    System.out.println(\"Read again...\");\r\n    readUrl(args);\r\n  }\r\n\r\n  private static void readUrl(String[] args) throws MalformedURLException,\r\n      IOException {\r\n    URL url = new URL(args[0]);\r\n    InputStream ins = url.openConnection().getInputStream();\r\n    BufferedReader reader = new BufferedReader(new InputStreamReader(ins));\r\n    String str;\r\n    while ((str = reader.readLine()) != null)\r\n      System.out.println(str);\r\n  }\r\n}\r\n<\/pre>\n
                  Kerberos config: krb5.conf<\/h3><\/span>\n
                  * Mnimal:<\/p>\n
                  \r\n[libdefaults]\r\n    default_realm = MYTEST.LOCAL\r\n[realms]\r\n    MYTEST.LOCAL = {\r\n        kdc = DC01.MYTEST.local\r\n    }\r\n<\/pre>\n
                  * Win 2003 (this one is actually used):<\/p>\n
                  \r\n[libdefaults]\r\n    default_realm = MYTEST.LOCAL\r\n\tdefault_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc\r\n\tdefault_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc\r\n\tpermitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc\r\n\r\n[realms]\r\n\tMYTEST.LOCAL  = {\r\n\t\tkdc = DC01.MYTEST.local \r\n\t\tdefault_domain = MYTEST.local \r\n}\r\n\r\n[domain_realm]\r\n\t.MYTEST.LOCAL = MYTEST.local \r\n<\/pre>\n
                  * For Windows 2008, DES encryption types are turned off by default. <\/p>\n
                  \r\n[libdefaults]\r\n    default_realm = MYTEST.LOCAL\r\n    default_tkt_enctypes = rc4-hmac \r\n    default_tgt_enctypes = rc4-hmac \r\n    permitted_enctypes = rc4-hmac\r\n\r\n[realms]\r\n\tMYTEST.LOCAL  = {\r\n\t\tkdc = mytest.local \r\n\t\tdefault_domain = mytest \r\n}\r\n\r\n[domain_realm]\r\n\t.mytest = MYTEST.LOCAL \r\n<\/pre>\n
                  JAAS Config: login.conf<\/h3><\/span>\n
                  \r\ncom.sun.security.jgss.krb5.initiate {\r\n  com.sun.security.auth.module.Krb5LoginModule required \r\n  doNotPrompt=false\r\n  storePass=true \r\n  useTicketCache=true;\r\n};\r\n<\/pre>\n
                  * Turn on debugging:<\/p>\n
                  \r\ncom.sun.security.jgss.krb5.initiate {\r\n  com.sun.security.auth.module.Krb5LoginModule required \r\n  doNotPrompt=false \r\n  useTicketCache=true \r\n  debug=true;\r\n};\r\n<\/pre>\n
                  Compile and run:<\/h3><\/span>\n
                  \r\nset JAVA_HOME=C:\\Program Files\\Java\\jdk1.6.0_33\r\nSET PATH=%JAVA_HOME%\\bin;%path%\r\n\r\njava -Djava.security.krb5.conf=krb5.conf -Djava.security.auth.login.config=login.conf -Djavax.security.auth.useSubjectCredsOnly=false test.http.auth.one.RunHttpSpnego http:\/\/dc01-a\/testauth\/test.htm\r\n\r\n# Turn on debugging with -Dsun.security.krb5.debug=true\r\njava -Djava.security.krb5.conf=krb5.conf -Djava.security.auth.login.config=login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true test.http.auth.one.RunHttpSpnego http:\/\/dc01-a\/testauth\/test.htm\r\n<\/pre>\n
                  Caveats<\/h2><\/span>\n
                  * In krb5.conf<\/em>, the realm name has to be<\/strong> all upper cases.
                  \n– This works:<\/p>\n
                  \r\n[libdefaults]\r\n    default_realm = MYTEST.LOCAL\r\n[realms]\r\n    MYTEST.LOCAL = {\r\n ...\r\n<\/pre>\n
                  – This does not<\/strong> works<\/p>\n
                  \r\n[libdefaults]\r\n    default_realm = mytest.local\r\n[realms]\r\n    mytest.local = {\r\n<\/pre>\n
                  Windows 2008 Domain Controller<\/h3><\/span>\n
                  * On the client machine, user cannot<\/strong> be a domain administrator. Otherwise, LSA ticket cannot be accessed. Windows 2003 does not have this restriction.
                  \n* Encryption types need to be<\/p>\n
                  \r\n    default_tkt_enctypes = rc4-hmac \r\n    default_tgt_enctypes = rc4-hmac \r\n    permitted_enctypes = rc4-hmac\r\n<\/pre>\n
                  Tools<\/h2><\/span>\n
                  Windows klist.exe<\/em><\/h3><\/span>\n
                  \r\ncd c:\\Windows\\system32\r\nklist\r\nc:\\Windows\\System32>klist\r\n\r\nCurrent LogonId is 0:0x4d672\r\n\r\nCached Tickets: (5)\r\n\r\n#0>     Client: Administrator @ MYTEST.LOCAL\r\n        Server: krbtgt\/MYTEST.LOCAL @ MYTEST.LOCAL\r\n        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)\r\n        Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent\r\n        Start Time: 11\/22\/2012 20:39:15 (local)\r\n        End Time:   11\/23\/2012 6:05:44 (local)\r\n        Renew Time: 11\/29\/2012 0:35:44 (local)\r\n        Session Key Type: RSADSI RC4-HMAC(NT)\r\n<\/pre>\n
                  MIT Kerberos for Windows<\/h3><\/span>\n
                  * Download MIT Kerberos for Windows from MIT Kerberos dist site<\/a>, e.g. Installer kfw-3-2-2.exe, 6425k.
                  \n* Double click to install.<\/p>\n
                  Sync Time with Windows Server<\/h3><\/span>\n
                  w32tm \/resync<\/p>\n
                  References<\/h2><\/span>\n
                  * Java SE 6: java.net.Authenticator<\/a>
                  \n*                   Http Authentication<\/a>
                  \n*                   Kerberos Programming on Windows<\/a>
                  \n*                   Class Krb5LoginModule<\/a>
                  \n*                   http:\/\/old.nabble.com\/Error-calling-function-protocol-status:-1312-td25889010.html<\/a>
                  \n*                   http:\/\/blog.facilelogin.com\/2010\/11\/kerberos-debugging-tips.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                  Overview Http Authentication * Java SE supports: – HTTP Basic authentication – HTTP Digest authentication – NTLM – Http SPNEGO Negotiate with Kerberos and NTLM * Uses java.net.Authenticator to – enable authentication – provide access to a store of usernames … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[287],"tags":[291,372,290,628],"class_list":["post-6716","post","type-post","status-publish","format-standard","hentry","category-kerberos","tag-authentication","tag-authenticator","tag-http","tag-kerberos"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-1Kk","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6716"}],"version-history":[{"count":32,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6716\/revisions"}],"predecessor-version":[{"id":7936,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6716\/revisions\/7936"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}