You can configure a Liberty server
to support Kerberos constrained delegation for out-bound SPNEGO tokens.
Before you begin
Make sure that you have configured SPNEGO web authentication.
Only IBM® JDK 1.8 and later are supported.
About this task
The Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation
compromises two parts:
- S4U2self
Allows a Liberty server to obtain a
service ticket to itself on behalf of a user. This can be used with any form of authentication that
is supported by Liberty.
S4U2self is the Kerberos Protocol Transition extension.
- S4U2proxy
Allows a Liberty server to obtain service
tickets to trusted services on behalf of a user. These service tickets are obtained by using the
user's service ticket to the Liberty service.
The services are constrained by the Kerberos Key Distribution Center (KDC) administrator.
S4U2proxy is the Kerberos Constrained Delegation extension.
The constrained delegation feature provides the following APIs to create the out-bound SPNEGO
token for back end services that support SPNEGO authentication, such as .NET servers and other
Liberty servers.
- S4U2self API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()
- S4U2proxy API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization()
The following steps use the same example system setup that is used in Configuring SPNEGO authentication in
Liberty and illustrated in Single sign-on for HTTP requests using SPNEGO web authentication.
Procedure
- On the Microsoft domain controller
myAdMachine.example.com, update the service principal name (SPN) that you use to
validate the incoming SPNEGO token. For example, update the
HTTP/myLibertyMachine.example.com SPN as follows:
- To use S4U2self, perform the following steps:
- Open the user account that is mapped to the delegate SPN.
- Open the Attribute Editor tab.
- Modify the userAccountControl property as follows:
- Trusted for auth delegation 0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
enum) must be true.
- Set the trusted service:
- Open the Delegation tab in the user account.
- Select the Trust this user for delegation to specified services only
radio button.
- Select the Use any authentication protocol radio button.
- Click on Add to add the trusted service.
- Click Users or Computers.
- Enter the SPN to be used for the trusted service.
- Click Check Names and verify that the appropriate object name was
found.
- Click OK.
- Select the SPN specified and click OK.
- To use S4U2proxy, perform the following steps:
- Open the user account that is mapped to the delegate SPN.
- Open the Attribute Editor tab.
- Modify the userAccountControl property as follows:
- Trusted for auth delegation (0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
enum) must be true.
- Set the trusted service:
- Open the Delegation tab in the user account.
- Select the Trust this user for delegation to specified services only
radio button.
- Click on Add to add the trusted service.
- Click Users or Computers.
- Enter the SPN to be used for the trusted service.
- Click Check Names and verify that the appropriate object name was
found.
- Click OK.
- Select the SPN specified and click OK.
- On the Liberty server machine
(myLibertyMachine.example.com), enable the constrained delegation feature by adding
constrianedDelegation-1.0 to the featureManager and configure the
JAAS Kerberos login module in the server.xml file.
<featureManager>
<feature>spnego-1.0</feature>
<feature>contrainedDelegation-1.0</feature>
...
</featuremanager>
<jaasLoginContextEntry id="com.ibm.security.jgss.krb5.accept" name="com.ibm.security.jgss.krb5.accept" loginModuleRef="useKeytab" />
<jaasLoginModule id="useKeytab" className="com.ibm.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options
credsType="both"
debug="true"
useDefaultCcache="false"
tryFirstPass="true"
forwardable ="true"
principal="HTTP/myLibertyMachine.example.com"
useKeytab="${server.config.dir}/resources/security/kerberos/krb5.keytab">
</options>
</jaasLoginModule>
<library id="jaasSharedLib" apiTypeVisibility="spec, ibm-api, api">
<fileset dir="${server.config.dir}/lib/global/" includes="*" />
</library>
When the
constrainedDelegation-1.0 feature is enabled, the following
configuration is
implicit:
<constrainedDelegation id="defaultConstrainedDelegation" s4U2selfEnabled="false" />
To use
S4U2self, the following configuration is needed in the
server.xml
file:
<constrainedDelegation s4U2selfEnabled = "true" id="defaultConstrainedDelegation"/>
Note: When
you use the S4U2proxy API, the jaasLoginContextEntry id and name
com.ibm.security.jgss.krb5.accept can not change.
Note: By default,
S4U2proxy is enabled and S4U2self is disabled. The
S4U2self extension can be enabled or disabled by modifying the
s4U2selfEnabled attribute in the server.xml file.
Results
Your application is now ready to call the API provided by the constrained delegation
feature.