You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I know, but I might as well ask. It's not working for me - SoapUI sends the first request, it gets back a www-authenticate: negotiate header, then it sends back another request that's the same as the first, with no auth headers or anything.
I'd start with this: https://www.soapui.org/docs/soap-and-wsdl/authenticating-soap-requests/
Who sends the third communication, SoapUI or your api? You inspecting with wireshark or some browser plugin (was it kerbinspect?)
I’d start with this
I did.
SoapUI shows the HTTP requests that come and go. It's sending the second one as expected, but not including any headers with any kind of auth token in. I think SoapUI is just using the Java framework for it. It's as if it's failing to pick up my identity.
Or.. wait - I cached the TGT with kinit, right? So then after the first request SoapUI (or the JVM) is meant to use that to obtain a ticket/token before it can then include it in the second request. So perhaps it's that that's failing?
Molgrips 15 mimutes ago...
A kerberos code has not been entered, that is my problem.
Managed to find debug logs for SoapUI, they contain this:
localhost:7800 requires authentication with the realm 'null'
Looks like my domain user is somehow not associated with a realm in the KDC?
A kerberos code has not been entered, that is my problem.
Either way, it's not looking good, the North Koreans have taken over the servers....
Plus I'm not sure we should really be helping you, three correct codes and it's bye bye North America...
Plus I’m not sure we should really be helping you
I think we're safe on that front.
A long time ago I used cntlmn as a proxy that did NTLM auth rather than trying to get SoapUI doing the auth. A Google search https://www.google.com/search?q=kerberos+equivalent+for+cntlm suggests that https://github.com/L11R/escobar may do something similar for Kerberos.
I don't think my SPN has been set up.
I set up kerberos authentication for SSH access on a Debian based NAS (flashed onto a budget consumer grade QNAP).
Did it a few years ago. Forgotten how it works now. I've lost a fair bit of enthusiasm for getting all techy these days but unfortunately need to dog back into it to regain access as I only granted read access to some of the partitions via smb.
Tldr; I used to be vaguely familiar with kerberos but have forgotten it now but really should relearn how to fix my system.
Looks like my domain user is somehow not associated with a realm in the KDC?
Sounds plausible!
It wasn't that. It had found the TGT, but failed to obtain a token to authenticate with the server. When authenticating with the server it creates a principal for the target server of the form servicename/hostname. The service name is HTTP, which it knows, so I created an spn with HTTP/myhostname. But this didn't work - somehow, in order to obtain the hostname for the SPN, it did a reverse DNS lookup, and this returned some nonsense based on my cloud provider's environment setup. I could have fixed the DNS entries but I just created another SPN with the hostname and bingo, I can now get tickets.
It's authenticating properly but my actual user doesn't seem to be authorised...!
Finally, I had to allow my user to delegate to any service when authenticated via Kerberos - setting in AD.
Will it work backwards now - if you go into AD and make the server that it's running on trustable for delegation will any AD account authenticate?
I'll see if I can dig out some of our docs on this. It always used to make me go cross-eyed trying to work out which objects needed to trust which other ones.
edit: can you get to here without having to sign in?
This is for one of our products where the architecture is User Session (on computer) > IIS Server > Authenticate agianst SQL Db with Kerberos from User Session.
I can read that article, ta. But I am going to put this down now as I just wanted to get this test working so I can stress test this particular bit of software (after it has stress tested me).
What an utter ball-ache though. Windows server ecosystem is an utter disaster.