Dear Stephan,
I am not sure if the gateway works like that.
But at least, the gateway will contact KDC to validate the keytab (you can see "Validate Keytab" button on Kerberos Configuration window, and by default it will automatically validate keytab ).
You can enable kerberos debug as below, then you can see what gateway is trying to do,
1. vi /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties
add one line,
node.java.opts = -Dsun.security.krb5.debug=true
2. restart gateway
service ssg restart
3. check the ssg log for kerberos transactions,
/opt/SecureSpan/Gateway/node/default/var/logs/ssg_0_0.log
Regards,
Mark
Original Message:
Sent: 01-13-2020 04:58 AM
From: Stephan Burkard
Subject: Kerberos Communication
Hi Mark
Thanks a lot for your answer. Yes, the fallback to TCP could be the reason it works, I will check that.
However, the main question is: What tries the Gateway to do? The Gateway is not the Kerberos client, it is the Kerberos Service that has a Keytab file and authenticates Kerberos tokens sent by the clients.
As far as I understand Kerberos and according to this answer, the Kerberos Service has no need to communicate with the KDC. Only the Client does that to get tokens. The Kerberos Service can be off-site (Cloud, partner company, whatever) and it would be a problem if you had to allow such foreign networks to access your internal KDC, wouldn't it?
Regards
Stephan
Original Message:
Sent: 01-12-2020 05:31 PM
From: Zhijun He
Subject: Kerberos Communication
Dear Stephen,
Please refer to RFC 4120,
https://tools.ietf.org/html/rfc4120#page-102
Kerberos is primarily a UDP protocol, Kerberos client MAY first use UDP protocol (default port 88) for contacting KDC, it can fail back to TCP port 88 if UDP fails.
(on old rfc1510, only UDP for kerberos)
Since your use case is working, I believe your firewall has TCP port 88 opened.
But I would concern on the performance, as it seems it will wait for UDP timeout each time calling the KDC.
Regards,
Mark
Original Message:
Sent: 01-10-2020 07:03 AM
From: Stephan Burkard
Subject: Kerberos Communication
Hi
We authenticate Requests with Kerberos Token on the API Gateways and this works fine.
- We import a Keytab file on the Gateway
- We use the "Require WS-Security Kerberos Token Profile Credentials" Assertion to authenticate the Requests
However, on one Gateway I noticed SocketTimeoutExceptions while the Gateway tries to contact the KDC Server (UDP 88, see below). This is expected since the communication between Gateway and KDC is not allowed (Firewall).
Questions:
- What is the Gateway trying to do here?
- Should we allow this communication?
- Is there anything supposed not to working when we block this communication? We did not experience any problems so far.
- I expect the Gateway to be independent of the KDC due to the imported Keytab-File. Am I wrong on this Kerberos theory?
Thanks
Stephan
2020-01-08T10:47:51.641+0100 INFO 5336144 STDOUT: SocketTimeOutException with attempt: 32020-01-08T10:47:51.641+0100 INFO 5336144 STDOUT: >>> KrbKdcReq send: error trying [IP-Number]:882020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: java.net.SocketTimeoutException: Receive timed out2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.net.PlainDatagramSocketImpl.receive0(Native Method)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.net.DatagramSocket.receive(DatagramSocket.java:812)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.security.AccessController.doPrivileged(Native Method)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KdcComm.send(KdcComm.java:348)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KdcComm.send(KdcComm.java:229)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KdcComm.send(KdcComm.java:200)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.reflect.GeneratedMethodAccessor83183.invoke(Unknown Source)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.lang.reflect.Method.invoke(Method.java:498)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.security.AccessController.doPrivileged(Native Method)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at javax.security.auth.login.LoginContext.login(LoginContext.java:587)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at com.l7tech.kerberos.KerberosClient.getKerberosAcceptPrincipal(Unknown Source)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at com.l7tech.server.aj.run(Unknown Source)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: at java.lang.Thread.run(Thread.java:748)2020-01-08T10:47:51.643+0100 INFO 5336144 STDOUT: >>> KdcAccessibility: add [IP-Number]:882020-01-08T10:47:51.643+0100 WARNING 5336144 com.l7tech.server.KerberosAdminImpl: Kerberos error getting principal: [principal]2020-01-08T10:47:53.955+0100 INFO 5336167 STDOUT: SocketTimeOutException with attempt: 22020-01-08T10:47:53.955+0100 INFO 5336167 STDOUT: >>> KDCCommunication: kdc=[IP-Number] UDP:88, timeout=30000,Attempt =3, #bytes=155