KerberosAuthenticationLegacy
Legacy Kerberos Server Authentication Guide
RunaWFE Free Workflow System (BPMS) Version 4.5.0
© 2003 - 2015, Consulting Group Runa
© 2015 - 2024, "Process Technologies" Ltd, this document is available under GNU FDL license. RunaWFE Free is an open source system distributed under a LGPL license (http://www.gnu.org/licenses/lgpl.html).
In this section all the names and user principals are case sensitive.
Create a domain user (let us call him WorkflowUser).
To use DES encryption type open WorkflowUser user properties, check the 'Use DES encryption' box. After checking the box it is necessary to change password for WorkflowUser (so that the password will be encrypted by DES).
Suppose we are in test.com domain, the server is on wfserver.test.com computer, and default_realm in krb5.ini is installed in TEST.COM. It is necessary to create/edit ${windir}/krb5.ini configuration file on the server and client machines. Detailed description of Kerberos configuration file.
krb5.ini file example
[domain_realm] .test.com = TEST.COM test.com = TEST.COM [libdefaults] default_realm = TEST.COM kdc_timesync = 1 ccache_type = 4 ticket_lifetime = 600 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 [logging] kdc = CONSOLE [realms] TEST.COM = { kdc = 192.168.0.1:88 default_domain = test.com } [appdefaults] autologin = true forward = true forwardable = true encrypt = true
Further on we will need setspn and ktpass utilities, which can be downloaded from microsoft as part of Support tools. You should use them on domain controller.
Let us create an SPN (used only for Kerberos authentication through web interface):
setspn -A HTTP/wfserver.test.com@TEST.COM TEST\WorkflowUser
ktpass -princ HTTP/wfserver.test.com@TEST.COM -pass password for WorkflowUser -mapuser TEST\WorkflowUser
, where TEST is a NetBIOS name.
The last command may cause the notice «WARNING: pType and account type do not match. This might cause problems», which you may ignore.
On wfserver.test.com it is necessary to create a keytab file (by means of ktab from JAVA_HOME/bin):
ktab -a HTTP/wfserver.test.com@TEST.COM password for WorkflowUser -k C:/krb5.keytab
Copy the following file: https://svn.code.sf.net/p/runawfe/code/RunaWFE-4.x/trunk/projects/wfe/wfe-core/src/main/resources/kerberos.properties.sample and rename it into kerberos.properties. Change the names in the file into real ones.
name | description | default value |
api.auth.enabled | enable authentication using RunaWFE API | true |
http.auth.enabled | enable HTTP authentication (from web-interface) | true |
appName | com.sun.security.jgss.accept | |
moduleClassName | com.sun.security.auth.module.Krb5LoginModule | |
storeKey | true | |
useKeyTab | use key file | true |
keyTab | use key file stated by the filepath | C:/krb5.keytab |
doNotPrompt | do not request user data | true |
debug | authentication debug mode | true |
principal | SPN | HTTP/wfserver.test.com@TEST.COM |
serverPrincipal | SPN - was used only for notifier | HTTP/wfserver.test.com |
jcifs.http.enableNegotiate | true | |
sun.security.krb5.debug | authentication debug mode | true |
jcifs.spnego.servicePrincipal | SPN | HTTP/wfserver.test.com@TEST.COM |
http.auth.preference | Kerberos |