Layer7 API Management

View Only

How to use Kerberos Delegation Protocol Transition with configured Credentials

Sebastian van Voorn posted Jun 26, 2025 08:07 AM

Hello All,

We have started a PoC to try Kerberos Delegation with Protocol Transition.

First we use Client Certificate Authentication in the policy and then we want to retreive Kerberos Authentication Credentials by using Configured Credentials (So nog Keytab is used). We use the same account as for the configured LDAP connection to the Active Directory.

This user has the added right to 'Trust this user for delegation to specified services'.

Instead of using the Authenticades user we Specify a User Name as Authenticated User.

But now somehow the assertion fails and we don't know why. Though, the Audit log shows a SEVERE error:

2025-06-26T12:24:58.787+0200 SEVERE 615 com.l7tech.server.SoapMessageProcessingServlet: class com.l7tech.external.assertions.kerberos.authentication.server.ServerKerberosAuthenticationAssertion (in unnamed module @0x5f308a9d) cannot access class sun.security.krb5.RealmException (in module java.security.jgss) because module java.security.jgss does not export sun.security.krb5 to unnamed module @0x5f308a9d

This is on our API Gateway V11.1.1 Virtual Appliance.

We also tried this on our Container V11.1.2 version. And this also gives a SEVERE error:
{"exception":"java.lang.NullPointerException: Cannot invoke \"String.equals(Object)\" because the return value of \"com.l7tech.identity.User.getName()\" is null\n\tat com.l7tech.external.assertions.kerberos.authentication.server.ServerKerberosAuthenticationAssertion.doCheckRequest(Unknown Source)\n\tat
...a lot of stack to dump...
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)\n\tat java.base/java.lang.Thread.run(Unknown Source)\n","package":"com.l7tech.server.SoapMessageProcessingServlet","level":"SEVERE","log":{"service":"PSB-kerberostest [/kerberostest]","user-id":"fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff","client-ip":"10.42.0.38","request-id":"6d994ea481a39c30-b9e7eae95f5fd71c","service-folder-path":"/","message":"Cannot invoke \"String.equals(Object)\" because the return value of \"com.l7tech.identity.User.getName()\" is null","listen-port":"Default HTTPS (9443)"},"time":"2025-06-26T10:54:03.339+0000"}

Any idea what is going wrong?

Best Regards,
Sebastian van Voorn.

Fernando7layer posted Jul 17, 2025 04:47 PM

Hi Sebastian,

validate if you have enables java.security.jgss/sun.security.jgss=ALL-UNNAMED". please, review this article Kerberos Authentication Failing In Gateway 11.1

Sebastian van Voorn posted Jul 24, 2025 03:05 AM

We have received that it should be solved in V11.1.2, so we tested it with this version. But now we encounter this same error:

2025-07-22T13:49:53.282+0200 SEVERE  270  com.l7tech.server.SoapMessageProcessingServlet: class com.l7tech.external.assertions.kerberos.authentication.server.ServerKerberosAuthenticationAssertion (in unnamed module @0x79d1ffbc) cannot access class sun.security.krb5.RealmException (in module java.security.jgss) because module java.security.jgss does not export sun.security.krb5 to unnamed module @0x79d1ffbc

So still no solution , though the ssgrutimedefs.sh is changed a lot.

Greetings, Sebastian.