You can configure a Liberty server to support Kerberos constrained delegation for
out-bound SPNEGO tokens.
Before you begin
Make sure that you have configured SPNEGO web authentication.
Only IBM® JDK 1.8 and later are supported.
About this task
The Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation
compromises two parts:
- S4U2self
Allows a Liberty server to obtain a service ticket to itself on behalf of a user. This can be
used with any form of authentication that is supported by Liberty. S4U2self is the
Kerberos Protocol Transition extension.
- S4U2proxy
Allows a Liberty server to obtain service tickets to trusted services on behalf of a user. These
service tickets are obtained by using the user's service ticket to the Liberty service. The services
are constrained by the Kerberos Key Distribution Center (KDC) administrator.
S4U2proxy is the Kerberos Constrained Delegation extension.
The constrained delegation feature provides the following APIs to create the out-bound SPNEGO
token for back end services that support SPNEGO authentication, such as .NET servers and other
Liberty servers.
- S4U2self API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()
- S4U2proxy API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization()
The following steps use the same example system setup that is used in Configuring SPNEGO authentication in
Liberty and illustrated in Single sign-on for HTTP requests using SPNEGO web authentication.
Procedure
- On the Microsoft domain controller
myAdMachine.example.com, update the service principal name (SPN) that you use to
validate the incoming SPNEGO token. For example, update the
HTTP/myLibertyMachine.example.com SPN as follows:
- To use S4U2self, perform the following steps:
- Open the user account that is mapped to the delegate SPN.
- Open the Attribute Editor tab.
- Modify the userAccountControl property as follows:
- Trusted for auth delegation 0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
enum) must be true.
- Set the trusted service:
- Open the Delegation tab in the user account.
- Select the Trust this user for delegation to specified services only
radio button.
- Select the Use any authentication protocol radio button.
- Click on Add to add the trusted service.
- Click Users or Computers.
- Enter the SPN to be used for the trusted service.
- Click Check Names and verify that the appropriate object name was
found.
- Click OK.
- Select the SPN specified and click OK.
- To use S4U2proxy, perform the following steps:
- Open the user account that is mapped to the delegate SPN.
- Open the Attribute Editor tab.
- Modify the userAccountControl property as follows:
- Trusted for auth delegation (0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
enum) must be true.
- Set the trusted service:
- Open the Delegation tab in the user account.
- Select the Trust this user for delegation to specified services only
radio button.
- Click on Add to add the trusted service.
- Click Users or Computers.
- Enter the SPN to be used for the trusted service.
- Click Check Names and verify that the appropriate object name was
found.
- Click OK.
- Select the SPN specified and click OK.
- On the Liberty server machine (myLibertyMachine.example.com), enable the
constrained delegation feature by adding constrianedDelegation-1.0 to the
featureManager and configure the JAAS Kerberos login module in the
server.xml file.
<featureManager>
<feature>spnego-1.0</feature>
<feature>contrainedDelegation-1.0</feature>
...
</featuremanager>
<jaasLoginContextEntry id="com.ibm.security.jgss.krb5.accept" name="com.ibm.security.jgss.krb5.accept" loginModuleRef="useKeytab" />
<jaasLoginModule id="useKeytab" className="com.ibm.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options
credsType="both"
debug="true"
useDefaultCcache="false"
tryFirstPass="true"
forwardable ="true"
principal="HTTP/myLibertyMachine.example.com"
useKeytab="${server.config.dir}/resources/security/kerberos/krb5.keytab">
</options>
</jaasLoginModule>
<library id="jaasSharedLib" apiTypeVisibility="spec, ibm-api, api">
<fileset dir="${server.config.dir}/lib/global/" includes="*" />
</library>
When the
constrainedDelegation-1.0 feature is enabled, the following
configuration is
implicit:
<constrainedDelegation id="defaultConstrainedDelegation" s4U2selfEnabled="false" />
To use
S4U2self, the following configuration is needed in the
server.xml
file:
<constrainedDelegation s4U2selfEnabled = "true" id="defaultConstrainedDelegation"/>
Note: When
you use the S4U2proxy API, the jaasLoginContextEntry id and name
com.ibm.security.jgss.krb5.accept can not change.
Note: By default,
S4U2proxy is enabled and S4U2self is disabled. The
S4U2self extension can be enabled or disabled by modifying the
s4U2selfEnabled attribute in the server.xml file.
Results
Your application is now ready to call the API provided by the constrained delegation
feature.