Layer7 API Management

 View Only
  • 1.  Configure the api gateway to delegate kerberos authentication

    Posted Jul 27, 2020 02:30 PM

    Hi,

     

    We are trying to configure the api gateway ver 10 to delegate kerberos authentication.

     

    We have a service using kerberos that we are able to access in a browser.

     

    We put that service behind our dev api gateway ver 10 to delegate kerberos authentication by looking at https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/learning-center/configure-the-gateway-for-kerberos-token-based-authentication.html.

     

    We created a standard user in the Active Directory to be used as a service user for the CA API Gateway with delegation access for the user the service is using for kerberos.

     

    We have the user in the keytab showing as authenticated using aes256-cts-hmac-sha1-96

     

    For the Configure Kerberos Delegation, https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/learning-center/configure-the-gateway-for-kerberos-token-based-authentication/configure-kerberos-delegation.html, we added the assertions below.

     Require Windows Integrated Authentication Credentials Assertion

     Route via HTTP(S) Assertion (set to Use Delegated Credentials)

     

    The kerberos does not seem to be delegated and we're being returned a 400 by the gateway.

     

    Support advised to use Retrieve Kerberos Authentication Credentials Assertion https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/policy-assertions/assertion-palette/access-control-assertions/retrieve-kerberos-authentication-credentials-assertion.html

     

    Now we have the following assertions.

     Require Windows Integrated Authentication Credentials Assertion

     Retrieve Kerberos Authentication Credentials (Set to the realm of our ad domain our.addomain.com and the spn of our dev gateway HTTP/dev.gateway.com to use gateway keytab and constrained proxy)

     Route via HTTP(S) Assertion (Set to Use Delegated Credentials)

     

    The kerberos does not seem to be delegated and we're being returned a 400 by the gateway.

     

    It seems we're making the request >

    < getting a 401 response back with WWW-Authenticate: Negotiate

    Sending back    Authorization: Negotiate (9,416 characters) >

    < getting 400 back from the gateway that seems to be com.l7tech.common.http.HttpHeaderUtil: Bad Authorization header present

     

    It seems like we have not passed the authorization header and are stuck with the gateway returning 400.

    Is there any assertion debugging etc we can add etc to determine the issue(s) we are running in to?

     

    Thanks



  • 2.  RE: Configure the api gateway to delegate kerberos authentication
    Best Answer

    Broadcom Employee
    Posted Jul 28, 2020 02:25 AM
    Dear Kirt,
    I don't remember if it's relevant, but what's the version of your AD server?
    From windows server 2012, Kerberos Token compression is enabled by default, which is not supported by the gateway.
    The KB below provides more details,
    https://knowledge.broadcom.com/external/article?articleId=186956

    Regards,
    Mark


  • 3.  RE: Configure the api gateway to delegate kerberos authentication

    Posted Jul 28, 2020 09:11 AM
    Edited by Securian Employee Jul 29, 2020 08:34 AM
    Thanks

    It is Server 2019 and kerberos token compression is enabled by default.  We're unable to disable.  Seems like kerberos will not work.

    Do you know if there are plans to support compression?