The most important to know about WCF integration (1 of 5)
When using Kerberos with wsHttp or ws2007Http binding – On Windows Server, generate the keytab file with right algorithm and correct kvno for the right principal. And deploy the keytab to DP device. ktpass -out dp.keytab -princ dpbox/wcfservice@realm -mapUser sp-user -mapOp set -pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -kvno 7 – Include the following as WS-SP parameters, needed for the specific policy domain only. • kerberos server principal, • kerberos client principal, • kerberos keytab, • interop with ‘microsoft’. – The ‘verify’ action now enforces the correct ‘client’ (aka. ‘signer’) principal.
DataPower WCF integration
© 2010 IBM Corporation
Steps to generate the service principal name and the keytab file on the Active directory: 1) Create an SPN to represent the service in Active Directory
In order for the client to obtain a Kerberos ticket to generate the Kerberos token, you need to create an SPN (Service Principal Name) for the target.
You will need access to the Active Directory Users and Computers console and the "setspn.exe" utility (for Windows 2003 you can download this from Microsoft or find it on the Windows 2003 tools CD)
a) create a AD pseudo-user which will be used to map the SPN. For this example, create an AD user "service-provider"
b) create an SPN mapped to the "service-provider" user create above:
setspn -a HOST/hostname:port service-provider, where hostname and port represent hostname (or IP) and port you will use for the front-side protocol handler for the DataPower Web service proxy
(NOTE: you could use any arbitrary SPN as well, we chose the HOST/... format since it works well to represent a DataPower device®)
c) check to make sure the SPN was correctly registered: setspn -l service-provider. You should see the SPN listed
2) Generate a Kerberos keytab for the SPN
In order for Kerberos to work, you will need to map the SPN to the user and create a Kerberos keytab which will later be used with WebSphere® DataPower
To do this, you will use the "ktpass" utility
ktpass -out c:\temp\service-provider.keytab -princ HOST/hostname:port@DOMAIN -mapUser usercreatedabove -mapOp set -pass passwordforuser -crypto RC4-HMAC-NT
Assuming that your Windows AD domain is MYDOMAIN.COM and that you create a user named service- provider in a) above, the command would look like:
ktpass -out c:\temp\service-provider.keytab -princ HOST/hostname:port@MYDOMAIN.COM -mapUser service-provider -mapOp set -pass passwordforuser -crypto RC4-HMAC-NT
NOTE:It is important to specify the -crypto option to be RC4-HMAC-NT in order to make this work
Page 13 of 19