http://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_kerb_auth_explain.html https://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.base.doc/ae/tsec_kerb_auth_client.html http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_kerb_setup.html http://www.ibm.com/support/knowledgecenter/SSCKBL_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rwbs_spnego_tokens_outbound_jaxws_client_bindings.html
http://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_kerb_create_conf.html http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_kerb_create_spn.html
- New policy set: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_confkerbprofilejaxws.html
- Oracle Weblogic: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html
- Client: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part5.html
PS C:\Users\administrator.DFU> setspn -A HTTP/inv5391-pc.msk.i-teco.ru vmuser
Registering ServicePrincipalNames for CN=vmuser vmuser,CN=Users,DC=dfu,DC=i-teco,DC=ru
HTTP/inv5391-pc.msk.i-teco.ru
Updated object
PS C:\Users\administrator.DFU>
PS C:\Users\administrator.DFU> ktpass -out c:\temp\vmuser.keytab -princ HTTP/[email protected] -map
User [email protected] -mapOp set -pass cit -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL
Targeting domain controller: DFUDC2.dfu.i-teco.ru
Successfully mapped HTTP/inv5391-pc.msk.i-teco.ru to vmuser.
Password succesfully set!
Key created.
Output keytab to c:\temp\vmuser.keytab:
Keytab version: 0x502
keysize 94 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylen
gth 32 (0x3673867bfba5a71e5a6463e858d4a0a1e4f86574eb7bd58e42697afcb0a69739)
PS C:\Users\administrator.DFU>
https://dmdaa.wordpress.com/2010/10/16/how-to-obtain-and-authenticate-kerberos-and-spnego-tokens-with-jgss/ https://dmdaa.wordpress.com/2010/03/13/kerberos-setup-and-jaas-configuration-for-running-sun-jgss-tutorial-against-ad/
AdminTask createKrbConfigFile {-krbPath c:/winnt/krb5.ini -realm WSSEC.AUSTIN.IBM.COM -kdcHost host1.austin.ibm.com -dns austin.ibm.com|raleigh.ibm.com -keytabPath c:/winnt/krb5.keytab}
root@kovrov-dev1:~# ktutil
ktutil: addent -password -p [email protected] -k 1 -e aes256-cts-hmac-sha1-96
AdminTask.createKrbConfigFile( ['-krbPath', 'c:/winnt/krb5.ini', '-realm', 'DFU.I-TECO.RU', '-kdcHost', 'dfu.i-teco.ru', '-dns', 'dfu.i-teco.ru', '-keytabPath', 'c:/winnt/krb5.keytab'])
print AdminTask.help("createKrbConfigFile")
c:/winnt/krb5.ini file:
[libdefaults]
default_realm = DFU.I-TECO.RU
default_keytab_name = FILE:c:/winnt/krb5.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
DFU.I-TECO.RU = {
kdc = dfu.i-teco.ru:88
default_domain = dfu.i-teco.ru
}
MSK.I-TECO.RU = {
kdc = msk.i-teco.ru:88
default_domain = msk.i-teco.ru
}
[domain_realm]
dfu.i-teco.ru = DFU.I-TECO.RU
.dfu.i-teco.ru = DFU.I-TECO.RU
msk.i-teco.ru = MSK.I-TECO.RU
.msk.i-teco.ru = MSK.I-TECO.RU
PS C:\Users\administrator.DFU> klist
Current LogonId is 0:0x3e70184c
Cached Tickets: (7)
#0> Client: Administrator @ DFU.I-TECO.RU
Server: krbtgt/I-TECO.RU @ DFU.I-TECO.RU
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 9/29/2016 13:48:40 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
#1> Client: Administrator @ DFU.I-TECO.RU
Server: krbtgt/DFU.I-TECO.RU @ DFU.I-TECO.RU
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
Start Time: 9/29/2016 13:43:49 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#2> Client: Administrator @ DFU.I-TECO.RU
Server: krbtgt/DFU.I-TECO.RU @ DFU.I-TECO.RU
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 9/29/2016 13:40:42 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#3> Client: Administrator @ DFU.I-TECO.RU
Server: ldap/tnaddsiteco01.i-teco.ru @ I-TECO.RU
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 9/29/2016 13:48:40 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#4> Client: Administrator @ DFU.I-TECO.RU
Server: cifs/DFUDC1.dfu.i-teco.ru @ DFU.I-TECO.RU
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 9/29/2016 13:43:49 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#5> Client: Administrator @ DFU.I-TECO.RU
Server: ldap/DFUDC1.dfu.i-teco.ru @ DFU.I-TECO.RU
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 9/29/2016 13:43:48 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#6> Client: Administrator @ DFU.I-TECO.RU
Server: cifs/nas.dfu.i-teco.ru @ DFU.I-TECO.RU
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 9/29/2016 13:40:49 (local)
End Time: 9/29/2016 23:40:42 (local)
Renew Time: 10/6/2016 13:40:42 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
$AdminTask help createKrbConfigFile