How Do I Call a Web Service Protected by Windows Integrated Authentication? (Magic xpi 3.x)
This topic explains how to configure your environment to enable the consumption of Web services that require Integrated Windows Authentication (IWA).
An overview of IWA is available at: http://en.wikipedia.org/wiki/Integrated_Windows_Authentication
-
Java Installations:
-
JDK 1.5 (or JRE 1.5) - This version of Java is installed by the Magic xpi installer.
JDK 1.5 is required to generate a SoapClientModule (development requirement) and this installation includes a JRE 1.5 needed to run an Invoke WS command.
This version should match the JAVA_HOME environment variable and the [MAGIC_JAVA]JAVA_HOME entry of your magic.ini file.
-
JRE 1.6 - This is an additional requirement specific for the execution of the Integrated Authentication Module.
Note:
|
Since 3.2 SP2a, JDK 6.0 is installed by default, so, instead of this step, you can use the installed JRE 6.0.
|
The installer of JRE 1.6 can be downloaded and installed for free. After the installation, your registry is expected to hold a key under:
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6 that points to an additional JAVA_HOME value (unlike the environment variable).
-
Create a text file named jaasconfig.conf that holds the following content:
KrbCredentials {
com.sun.security.auth.module.Krb5LoginModule required debug=true
doNotPrompt=false
useTicketCache=true;
};
-
Add the following three entries to your magic.ini file in the [MAGIC_SPECIALS] section:
-
OverrideSoapSpyForIntegratedAuthentication=Y
-
Java1.6Home = c:\Program Files\Java\jre6
The path should point to the new JRE 1.6 installation as mentioned in the registry.
-
IntegratedAuthenticationJvmArgs= -Djava.security.auth.login.config=c:\temp\jaasconfig.conf -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true
The path for the configuration file (in bold) should match the location of the file on your machine.
-
When you invoke a Web service after this setup, the Windows log-in credentials of the current Windows user is added to each call (which is also Kerberos encoded).
-
The calling party and the provider must use the same active directory; otherwise, the authentication is expected to fail.
-
Working with Integrated Windows Authentication is only possible when using the Invoke WS command. It is not supported for HTTPPost function calls.
To enable a trace on the Java proxy server making the calls, change the third SPECIAL flag as follows:
[MAGIC_SPECIALS]
IntegratedAuthenticationJvmArgs=-Djava.security.auth.login.config=C:\temp\jaasconfig.conf -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true -Dcom.magicsoftware.ssj.integratedauth.debug=true
The WS calls will now generate a log file named WsInteAuthXXXXXX .log in your %TEMP% folder.
To enable communication via a proxy server, one of the SPECIAL flags needs to be changed as follows:
[MAGIC_SPECIALS]
IntegratedAuthenticationJvmArgs=-Dhttp.proxyHost=Proxy server IP -Dhttp.proxyPort=Proxy Server port -Djava.security.auth.login.config=jaasconfig.conf -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true