KerberosAuthenticationLegacy

From RunaWFE
Jump to navigation Jump to search

Legacy Kerberos Server Authentication Guide

RunaWFE Free Workflow System (BPMS) Version 4.5.0

© 2003 - 2015, Consulting Group Runa

© 2015 - 2024, "Process Technologies" Ltd, this document is available under GNU FDL license. RunaWFE Free is an open source system distributed under a LGPL license (http://www.gnu.org/licenses/lgpl.html).

In this section all the names and user principals are case sensitive.

Create a domain user (let us call him WorkflowUser).

To use DES encryption type open WorkflowUser user properties, check the 'Use DES encryption' box. After checking the box it is necessary to change password for WorkflowUser (so that the password will be encrypted by DES).

Suppose we are in test.com domain, the server is on wfserver.test.com computer, and default_realm in krb5.ini is installed in TEST.COM. It is necessary to create/edit ${windir}/krb5.ini configuration file on the server and client machines. Detailed description of Kerberos configuration file.

krb5.ini file example

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
[libdefaults]
 default_realm = TEST.COM
 kdc_timesync = 1
 ccache_type = 4
 ticket_lifetime = 600
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[logging]
 kdc = CONSOLE
[realms]
 TEST.COM = {
  kdc = 192.168.0.1:88
  default_domain = test.com
 }
[appdefaults]
 autologin = true
 forward = true
 forwardable = true
 encrypt = true

Further on we will need setspn and ktpass utilities, which can be downloaded from microsoft as part of Support tools. You should use them on domain controller.

Let us create an SPN (used only for Kerberos authentication through web interface):

setspn -A HTTP/wfserver.test.com@TEST.COM TEST\WorkflowUser

ktpass -princ HTTP/wfserver.test.com@TEST.COM -pass password for WorkflowUser -mapuser TEST\WorkflowUser

, where TEST is a NetBIOS name.

The last command may cause the notice «WARNING: pType and account type do not match. This might cause problems», which you may ignore.

On wfserver.test.com it is necessary to create a keytab file (by means of ktab from JAVA_HOME/bin):

ktab -a HTTP/wfserver.test.com@TEST.COM password for WorkflowUser -k C:/krb5.keytab

Copy the following file: https://svn.code.sf.net/p/runawfe/code/RunaWFE-4.x/trunk/projects/wfe/wfe-core/src/main/resources/kerberos.properties.sample and rename it into kerberos.properties. Change the names in the file into real ones.

name description default value
api.auth.enabled
enable authentication using RunaWFE API true
http.auth.enabled
enable HTTP authentication (from web-interface) true
appName
com.sun.security.jgss.accept
moduleClassName
com.sun.security.auth.module.Krb5LoginModule
storeKey
true
useKeyTab
use key file true
keyTab
use key file stated by the filepath C:/krb5.keytab
doNotPrompt
do not request user data true
debug
authentication debug mode true
principal
SPN HTTP/wfserver.test.com@TEST.COM
serverPrincipal
SPN - was used only for notifier HTTP/wfserver.test.com
jcifs.http.enableNegotiate
true
sun.security.krb5.debug
authentication debug mode true
jcifs.spnego.servicePrincipal
SPN HTTP/wfserver.test.com@TEST.COM
http.auth.preference
Kerberos