Kerberos Authentication (Outbound Scenarios)
Kerberos authentication policy can be used in any of the following scenarios:
Ensure that the Evaluate HTTP Basic Authentication policy is enforced and the Use Existing Credentials option is marked.
When a service provider wants a web service client that does not have the ability to generate the Kerberos token to access a service enforced with the Kerberos policy. It is also used when service provider wants a web service client to access a service enforced with the kerberos policy.
Mediator tries to obtain the Kerberos token from the KDC server on behalf of the authenticated client.
Note: Before configuring Kerberos, ensure that IS must be configured to LDAP as the incoming client credentials will be authenticated to verify whether its a valid LDAP user. Also, refer to the Configuring Kerberos in Integration Server chapter in the webMethods Integration Server Administrator’s Guide to complete the prerequisites.
When the service provider wants a web service client to access a service enforced with the Kerberos policy.
Mediator tries to obtain the Kerberos token from the KDC server by using the configured client principal name and password for the virtual service.
Note: Before configuring Kerberos, refer to the Configuring Kerberos in Integration Server chapter in the webMethods Integration Server Administrator’s Guide to complete the prerequisites.
Kerberos authentication can be performed using one of the following modes available under the Authenticate Using drop-down list in the Kerberos Authentication screen. The authentication can be performed using the appropriate modes when the service provider wants a web service client that does not have access to the Kerberos server to access a service enforced with the Kerberos policy:
Custom Credentials: The values provided in the policy is used to obtain the Kerberos token to access the native service.
Delegate Incoming Credentials: The values provided in the policy is used by the API providers to select whether to delegate the incoming kerberos token or act as a normal client.
Note: To use the Delegate Incoming Credentials mode, ensure that in the krb.conf file, the forwardable parameter is set to true.
Secure Alias: The secure alias will be used to obtain the kerberos token to access the native service. For information on configuring secure alias, refer to the
Mediator Runtime Aliases section in
Working with the CentraSite Business UI Guide.
Use Existing Credentials: The existing incoming credentials will be used to get the kerberos token from the KDC server to access the native API. Ensure that the
Evaluate HTTP Basic Authentication policy is enforced and the
Authenticate User option is selected.
Note: The Mediator to native service communication must be over SSL.
Input Parameters
Enforcement Point | (Only for SOAP-based APIs). You can select the level at which the Kerberos outbound authentication support is available. |
Value | Description |
Transport Level | To use Kerberos over Transport Level. |
Message Level | To use Kerberos over Message Level. |
Authenticate Using: Custom Credentials |
Value | Description |
Client Principal | (String). A valid client LDAP user name. |
Client Password | (String). A valid password of the client LDAP user. |
Service Principal | (String). A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command: Setspn –a <domain name>\<username> spnname For example, setspn -a eur\user1 spnname Note: Service Principal Name is currently only supported as a user name based form and not a service name based form. The SPN for the native service endpoint. |
Service Principal Name Form | The username form, for example, kerberospoc/bob1.SPARTA.RNDLAB.LOC |
Authenticate Using: Delegate Incoming Credentials |
Value | Description |
Client Principal | (String). A valid client LDAP user name. |
Client Password | (String). A valid password of the client LDAP user. |
Service Principal | (String). A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command: Setspn –a <domain name>\<username> spnname For example, setspn -a eur\user1 spnname Note: Service Principal Name is currently only supported as a user name based form and host based form. The SPN for the native service endpoint. |
Service Principal Name Form | The username form, for example, kerberospoc/bob1.SPARTA.RNDLAB.LOC |
Authenticate Using: Secure Alias |
Value | Description |
Alias Name | (String). Name to the alias configured. |
Authenticate Using: Use Existing Credentials |
Service Principal | (String). A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command: Setspn –a <domain name>\<username> spnname For example, setspn -a eur\user1 spnname Note: Service Principal Name is currently only supported as a user name based form and not a service name based form. The SPN for the native service endpoint. |
Service Principal Name Form | The username form, for example, kerberospoc/bob1.SPARTA.RNDLAB.LOC |