Skip to content
Cart

SPNEGO/Kerberos Authentication

NOTE: A bug was fixed related to Kerberos authentication, please update to version 4.7 or higher.

TGT accessibility

By default, Windows does not allow the session key of a TGT to be accessed. Following registry key should be added on the client side, to make the session key for TGT accessible.

For Windows XP, Windows 2000, Windows 7 and later Windows versions the registry key and value should be: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01

Add following VM parameter to ${SoapUI_INSTALL_DIR}/bin/soapUI-pro-.vmoptions

-Djavax.security.auth.useSubjectCredsOnly=false

And run kinit to get the first TGT.

kinit

This should be enough, restart the SoapUI and use SPNEGO/Kerberos in the authentication header and set the username. 

AuthHeader

If above doesn’t work then the further configuration is required as mentioned below.

Realm and KDC Info

Create a configuration file krb5.conf, krb5.conf should contain the realm info and hostname of the KDC. Save the krb5.conf in a directory which can be accessed by the application (Let’s say: C:/kerberos).

The content of the file should look as following:

[libdefaults] default_realm = STHLM.SMARTBEAR.LOCAL udp_preference_limit = 1 [realms] STHLM.SMARTBEAR.LOCAL = { kdc = dc02.sthlm.smartbear.local  default_domain = STHLM.SMARTBEAR.LOCAL } [domain_realms] .ad.example.net=sthlm.smartbear.local ad.example.net=sthlm.smartbear.local

Where STHLM.SMARTBEAR.LOCAL should be replaced with the realm for the domain.

Where STHLM.SMARTBEAR.LOCAL should be replaced with the realm for the domain. And KDC (Key Distribution Center) should refer to the correct KDC server.

KeyTab

Create a keytab file to store the user credentials, this will be used if the session key of the user is not available in TGT cache. Store the keytab file (username.keytab) to an appropriate directory (C:/kerberos) . The computer should be in domain and user should be logged in, using the credentials for the domain, to create the keytab file.

The username and password should be changed to real credentials and file name should be changed to appropriate name.

GenerateKeytabFileNew

JAAS login config file

A configration file (login.conf) should provide the configuration for the LoginModule.

The file content should look as below, user.name should be replaced with the real username and the keytab file path refer to the keytab file generated in previous step:

com.sun.security.jgss.login {   com.sun.security.auth.module.Krb5LoginModule    required   client=TRUE; }; com.sun.security.jgss.initiate {   com.sun.security.auth.module.Krb5LoginModule   required   debug=true   useTicketCache=true   useKeyTab=true   keyTab=“file:///C:/kerberos/username.keytab”   principal=user.name   doNotPrompt=true; }; com.sun.security.jgss.accept {   com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true; };

Create and save this file to appropriate directory (C:/kerberos).

Setting up environment variables

Add following parameters to SoapUI VM options, by adding them in the file ${SoapU_INSTALL_DIR}/bin/soapUI-pro-.vmoptions

-Djavax.security.auth.useSubjectCredsOnly=false #(if not already added)

-Djava.security.auth.login.config=C:/kerberos/login.conf 

-Djava.security.krb5.conf=C:/kerberos/krb5.conf

Restart SoapUI and use the username in NTML/Kerberos authentication header.