CentraSite Documentation : Runtime Governance with CentraSite : Run-Time Governance Reference : Built-In Run-Time Actions Reference for APIs : Run-Time Actions Reference : Evaluate Kerberos Token
Evaluate Kerberos Token
Evaluate Kerberos Token policy can be used in any of the following scenarios:
*when the native service does not support Kerberos authentication.
*when you want to centrally configure Kerberos authentication in Mediator for services where Mediator is configured to forward the request to a clustered group of native servers through load balancer.
Note:  
For Evaluate Kerberos Token policy, JMS and HTTP are not supported as inbound protocols. Evaluate Kerberos Token policy complies to the KerberosOverTransport section described in the following article, https://msdn.microsoft.com/en-us/library/aa751836.aspx. Kerberos inbound authentication support is available at message level and at transport level.
Also, ensure that in the Extended Settings page of Integration Server, the the watt.server.auth.skipForMediator property is set to true.
Input Parameters
Enforcement Point
Only for SOAP-Based APIs. You can select the level at which the Kerberos inbound authentication support is available.
Value
Description
Transport Level
To use Kerberos over Transport Level.
Message Level
To use Kerberos over Message Level.
Service Principal Name Form
The Service Principal Name (SPN) name type to be used while authenticating an incoming client principal name.
Value
Description
User
The username form, for example, kerberospoc/ bob1.SPARTA.RNDLAB.LOC.
Host
The host form, for example, LocalSysHostBasedAuth@VMCHNADFS02W.sag.vmchnadfs20w.com
Service Principal Name
String. Mandatory. A valid SPN. The specified value will be used by the client or the server to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command:
Setspn –a <domain name>\<username> spnname
For example,
setspn -a eur\user1 spnname
The Service Principal Name is supported as a user name and a host name based form.
Service Principal Password
String. Mandatory. A valid password of the SPN user or the SPN host.
For example, if the setspn command is set for the domain user eur\user1, this field represents the password set for the domain user eur\user1.
Identify Consumer
String. The list of consumers against which the Kerberos token must be validated for identifying requests from a particular client or server.
Value
Description
Do Not Identify
Mediator forwards the request to the native API, without identifying the consumer application(in global/registered consumer list) that corresponds to the principal identified after successful Kerberos authentication.
Registered Consumers
Mediator tries to identify the consumer based on principal that it set after successful Kerberos authentication against the list of consumer applications who are registered as consumers for the specified API.
Global Consumers
Default. Mediator tries to identify the consumer based on principal that it set after successful Kerberos authentication against the list of global consumer applications in Mediator.
Copyright © 2005-2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback