Best Practices from Oracle Development's A‑Team

WCF Interoperability with Java Kerberos - Tricky Problem - Simple Solution


File this one under hard lessons learned.

If you want to use WS-Security Kerberos Token Profile with a Java based client that is using Java GSS-API, then you have to use the HMAC-RC4 encryption type.

Main Article

This means you'll need JDK 1.6

If you're setting this up the way that you've grown accustomed (setting the "Use DES Encyrption" flag in the user's Active Directory record), then you'll struggle - like I did.

Odd behvaior, like when you try requireDerivedKeys=false, you'll get errors like

Cannot create the 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc

In fact, if the SPN is mapped to an account with DES Encryption, you'll only be able to get this to work with requireDerivedKeys=true. The algorithm in the binding doesn't matter.

Another error that you'll encounter is:

The key size requirements for the 'Basic128' algorithm suite are not met by the 'System.IdentityModel.Tokens.KerberosReceiverSecurityToken' token which has key size of '64'

I think what they're trying to say is that the DES key 64 bits is not sufficient to work with Basic128.

In my experience, simply changing the user account mapped to the SPN to Not use DES Encryption made all of these problems go away, and interoperability work like a charm.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content