6

I have a linux\java6 client that will authenticate to sharepoint2010 with NTLM and then send HTTP REST web services using Apache Commons HttpClient.

I can do this with NTLM , but I want to use the same REST API to access sharepoint 2010 that uses kerberos auth.

Any examples how to authenticate and send REST over HTTP with a kerberos sharepoint? (preferably using HttpClient)

p.s. I dont have access to sharepoint code, but i do have access to sharepoint admin configurations. This is roughly how I authenticate with NTLM:

HttpClient httpClient = new HttpClient(new SimpleHttpConnectionManager(true));
AuthPolicy.registerAuthScheme(AuthPolicy.NTLM, JCIFS_NTLMScheme.class);
String  localHostName = Inet4Address.getLocalHost().getHostName();
authscope = new AuthScope(uri.getHost(), AuthScope.ANY_PORT);
httpClient.getState().setCredentials(authscope,new NTCredentials(
             getUsername(),getPassword(),localHostName,getDomain()));

// after the initial ntlm auth I can call my REST service with "httpClient.executeMethod" 

int status = httpClient.executeMethod(new GetMethod(accessURI + "/sitecollection/info"));
dov.amir
  • 11,489
  • 7
  • 45
  • 51
  • 1
    Have you looked at http://thejavamonkey.blogspot.com/2008/04/clientserver-hello-world-in-kerberos.html – James Black May 23 '12 at 14:41
  • its not exactly what i need, I have an existing api of rest web services over http (org.apache.commons.httpclient.HttpClient) that work with NTLM, and I need to use the SAME webservices when dealing with sharepoint servers using kerberos. – dov.amir May 23 '12 at 17:16
  • Which part of the article I mentioned will be a problem, in that you need to get the ticket, and I am not certain how you plan on doing that. It may help if you go into more detail. – James Black May 24 '12 at 21:04
  • maybe i didnt understand, but what i want to do is send web requests to a kerberos sharepoint server like this httpClient.executeMethod(new GetMethod(accessURI)); will I be able to run http requests after the authentication in the article? also i am not sure how to aquire the correct principal from my sharepoint server (principal="webserver/bully@EXAMPLE.COM";) – dov.amir May 25 '12 at 08:54
  • You may want to look at this question, as it is similar to what you want: http://stackoverflow.com/questions/592403/access-a-sharepoint-website-from-a-java-application-with-kerberos-authentication – James Black May 26 '12 at 15:06
  • I would suggest you download the code, and make the changes suggested and try it. But, to get the principal you need to ask the sysadmins what value to put there. – James Black May 26 '12 at 15:06
  • the describes how to create a client + server that share common code like callbackhandler, but I dont have access to the server code, I create a client to an existing server – dov.amir May 27 '12 at 09:05
  • Is your Java client supposed to connect with the workstation user's identity or is it a machine to machine connection with a single technical user ? – Yves Martin May 30 '12 at 21:05

1 Answers1

3

Please confirm that your environment is correctly setup for Kerberos, this can be achieved by running kinit. If this fails you will need to ensure that your krb5.ini (windows) or krb5.conf (linux) are setup to point to your domain controller correctly.

Once you have confirmed that Kerberos is functional you can use the example code from HttpClient as pasted below.

Please note that there are many issues that can cause Kerberos to fail, such as time synchronisation, supported encryption types, trust relationships across domain forests and it's also worth ensuring that your client is on a seperate box to the server.

Here is the example code which is available in the HttpClient download, you will need to ensure your JAAS configuration and krb5.conf or ini are correct!

public class ClientKerberosAuthentication {

    public static void main(String[] args) throws Exception {

        System.setProperty("java.security.auth.login.config", "login.conf");
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

        DefaultHttpClient httpclient = new DefaultHttpClient();
        try {
            httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory());

            Credentials use_jaas_creds = new Credentials() {

                public String getPassword() {
                    return null;
                }

                public Principal getUserPrincipal() {
                    return null;
                }

            };

            httpclient.getCredentialsProvider().setCredentials(
                    new AuthScope(null, -1, null),
                    use_jaas_creds);

            HttpUriRequest request = new HttpGet("http://kerberoshost/");
            HttpResponse response = httpclient.execute(request);
            HttpEntity entity = response.getEntity();

            System.out.println("----------------------------------------");
            System.out.println(response.getStatusLine());
            System.out.println("----------------------------------------");
            if (entity != null) {
                System.out.println(EntityUtils.toString(entity));
            }
            System.out.println("----------------------------------------");

            // This ensures the connection gets released back to the manager
            EntityUtils.consume(entity);

        } finally {
            // When HttpClient instance is no longer needed,
            // shut down the connection manager to ensure
            // immediate deallocation of all system resources
            httpclient.getConnectionManager().shutdown();
        }
    }

}
Emil L
  • 20,219
  • 3
  • 44
  • 65
JayTee
  • 1,209
  • 9
  • 15
  • i dont have a keytab and krb5.conf, do i need to define them also? this is the sharepoint kerberos url i am trying to access : https://sp10-krb.qa.eng.mycompany.com/sites/mysite/myrestservice.aspx will the kinit test be : kinit myspadminusername@QA.ENG.MYCOMPANY.COM mysppassword ? – dov.amir May 30 '12 at 16:42
  • `krb5.conf` and `login.config` are required. Then if your client always use the same user identity to connect, a keytab may a good idea to avoid kinit user/password authentication with the trouble to store the password somewhere. – Yves Martin May 30 '12 at 21:07
  • where do i give the prinicipal name and password if i dont use keytab? – dov.amir May 31 '12 at 21:11