webMethods and Intelligent Business Operations 10.2 | CentraSite User's Guide | Runtime Governance | Run-Time Policy Management | Built-In Run-Time Actions Reference (CentraSite Business UI) | Built-in Actions for Run-Time Policies (CentraSite Business UI) | Kerberos Authentication (Outbound Scenarios)
 
Kerberos Authentication (Outbound Scenarios)
Kerberos authentication policy can be used in any of the following scenarios:
Note: Kerberos authentication support is available at message level and at transport level. Kerberos authentication policy complies to the KerberosOverTransport section described in the following article, https://msdn.microsoft.com/en-us/library/aa751836(v=vs.110).aspx.
Ensure that the Evaluate HTTP Basic Authentication policy is enforced and the Use Existing Credentials option is marked.
*When a service provider wants a web service client that does not have the ability to generate the Kerberos token to access a service enforced with the Kerberos policy. It is also used when service provider wants a web service client to access a service enforced with the kerberos policy.
Mediator tries to obtain the Kerberos token from the KDC server on behalf of the authenticated client.
Note: Before configuring Kerberos, ensure that IS must be configured to LDAP as the incoming client credentials will be authenticated to verify whether its a valid LDAP user. Also, refer to the Configuring Kerberos in Integration Server chapter in the webMethods Integration Server Administrator’s Guide to complete the prerequisites.
*When the service provider wants a web service client to access a service enforced with the Kerberos policy.
Mediator tries to obtain the Kerberos token from the KDC server by using the configured client principal name and password for the virtual service.
Note: Before configuring Kerberos, refer to the Configuring Kerberos in Integration Server chapter in the webMethods Integration Server Administrator’s Guide to complete the prerequisites.
Kerberos authentication can be performed using one of the following modes available under the Authenticate Using drop-down list in the Kerberos Authentication screen. The authentication can be performed using the appropriate modes when the service provider wants a web service client that does not have access to the Kerberos server to access a service enforced with the Kerberos policy:
*Custom Credentials: The values provided in the policy is used to obtain the Kerberos token to access the native service.
*Delegate Incoming Credentials: The values provided in the policy is used by the API providers to select whether to delegate the incoming kerberos token or act as a normal client.
Note: To use the Delegate Incoming Credentials mode, ensure that in the krb.conf file, the forwardable parameter is set to true.
*Secure Alias: The secure alias will be used to obtain the kerberos token to access the native service. For information on configuring secure alias, refer to the Mediator Runtime Aliases section in Working with the CentraSite Business UI Guide.
*Use Existing Credentials: The existing incoming credentials will be used to get the kerberos token from the KDC server to access the native API. Ensure that the Evaluate HTTP Basic Authentication policy is enforced and the Authenticate User option is selected.
Note: The Mediator to native service communication must be over SSL.
Input Parameters
Enforcement Point
(Only for SOAP-based APIs). You can select the level at which the Kerberos outbound authentication support is available.
Value
Description
Transport Level
To use Kerberos over Transport Level.
Message Level
To use Kerberos over Message Level.
Authenticate Using: Custom Credentials
Value
Description
Client Principal
(String). A valid client LDAP user name.
Client Password
(String). A valid password of the client LDAP user.
Service Principal
(String). A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command:
Setspn –a <domain name>\<username> spnname
For example,
setspn -a eur\user1 spnname
Note: Service Principal Name is currently only supported as a user name based form and not a service name based form. The SPN for the native service endpoint.
Service Principal Name Form
The username form, for example, kerberospoc/bob1.SPARTA.RNDLAB.LOC
Authenticate Using: Delegate Incoming Credentials
Value
Description
Client Principal
(String). A valid client LDAP user name.
Client Password
(String). A valid password of the client LDAP user.
Service Principal
(String). A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command:
Setspn –a <domain name>\<username> spnname
For example,
setspn -a eur\user1 spnname
Note: Service Principal Name is currently only supported as a user name based form and host based form. The SPN for the native service endpoint.
Service Principal Name Form
The username form, for example, kerberospoc/bob1.SPARTA.RNDLAB.LOC
Authenticate Using: Secure Alias
Value
Description
Alias Name
(String). Name to the alias configured.
Authenticate Using: Use Existing Credentials
Service Principal
(String). A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command:
Setspn –a <domain name>\<username> spnname
For example,
setspn -a eur\user1 spnname
Note: Service Principal Name is currently only supported as a user name based form and not a service name based form. The SPN for the native service endpoint.
Service Principal Name Form
The username form, for example, kerberospoc/bob1.SPARTA.RNDLAB.LOC

Copyright © 2015- 2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release