Hi,
We are trying to configure the api gateway ver 10 to delegate kerberos authentication.
We have a service using kerberos that we are able to access in a browser.
We put that service behind our dev api gateway ver 10 to delegate kerberos authentication by looking at https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/learning-center/configure-the-gateway-for-kerberos-token-based-authentication.html.
We created a standard user in the Active Directory to be used as a service user for the CA API Gateway with delegation access for the user the service is using for kerberos.
We have the user in the keytab showing as authenticated using aes256-cts-hmac-sha1-96
For the Configure Kerberos Delegation, https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/learning-center/configure-the-gateway-for-kerberos-token-based-authentication/configure-kerberos-delegation.html, we added the assertions below.
Require Windows Integrated Authentication Credentials Assertion
Route via HTTP(S) Assertion (set to Use Delegated Credentials)
The kerberos does not seem to be delegated and we're being returned a 400 by the gateway.
Support advised to use Retrieve Kerberos Authentication Credentials Assertion https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/policy-assertions/assertion-palette/access-control-assertions/retrieve-kerberos-authentication-credentials-assertion.html
Now we have the following assertions.
Require Windows Integrated Authentication Credentials Assertion
Retrieve Kerberos Authentication Credentials (Set to the realm of our ad domain our.addomain.com and the spn of our dev gateway HTTP/dev.gateway.com to use gateway keytab and constrained proxy)
Route via HTTP(S) Assertion (Set to Use Delegated Credentials)
The kerberos does not seem to be delegated and we're being returned a 400 by the gateway.
It seems we're making the request >
< getting a 401 response back with WWW-Authenticate: Negotiate
Sending back Authorization: Negotiate (9,416 characters) >
< getting 400 back from the gateway that seems to be com.l7tech.common.http.HttpHeaderUtil: Bad Authorization header present
It seems like we have not passed the authorization header and are stuck with the gateway returning 400.
Is there any assertion debugging etc we can add etc to determine the issue(s) we are running in to?
Thanks