Calling a Web Service Protected by Windows Integrated Authentication (Magic xpa 3.x)
This Technical Note explains how to configure your environment to enable the consumption of Web services that require Integrated Windows Authentication (IWA).
Setup Steps
-
Java Installations:
JRE 1.6 or 1.7 - As of version 3.2, JDK 7.0 is installed by default, so instead of this step, you can use the installed JRE 7.0.
The installer of JRE can be downloaded and installed for free. After the installation, your registry is expected to hold a key under:
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6 (or 1.7) that points to an additional JAVA_HOME value (unlike the environment variable).
-
Create a text file named jaasconfig.conf that holds the following content:
KrbCredentials {
com.sun.security.auth.module.Krb5LoginModule required debug=true
doNotPrompt=false
useTicketCache=true;
};
-
Add the following three entries to your magic.ini file in the [MAGIC_SPECIALS] section:
a. OverrideSoapSpyForIntegratedAuthentication=Y
b. Java1.6Home = c:\Program Files\Java\jre6
Please note that the path should point to the new JRE 1.6 installation as mentioned in the registry.
c. IntegratedAuthenticationJvmArgs= -Djava.security.auth.login.config=c:\temp\jaasconfig.conf -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true
Please note that the path for the configuration file (in bold) should match the location of the file on your machine.
Remarks
-
When you invoke a Web service after this setup, the Windows log-in credentials of the current Windows user is added to each call (which is also Kerberos encoded).
-
The calling party and the provider must use the same active directory; otherwise, the authentication is expected to fail.
-
Working with Integrated Windows Authentication is only possible when using the Invoke WS command. It is not supported for HTTPPost function calls.
Debugging
To enable a trace on the Java proxy server making the calls, change the 3rd special flag as follows:
[MAGIC_SPECIALS]
IntegratedAuthenticationJvmArgs=-Djava.security.auth.login.config=C:\temp\jaasconfig.conf -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true -Dcom.magicsoftware.ssj.integratedauth.debug=true
The WS calls will now generate a log file named WsInteAuthXXXXXX .log in your %TEMP% folder.
Working with a Proxy Server on the LAN
To enable communication via a proxy server, one of the SPECIAL flags needs to be changed as follows:
[MAGIC_SPECIALS]
IntegratedAuthenticationJvmArgs=-Dhttp.proxyHost=Proxy server IP -Dhttp.proxyPort=Proxy Server port -Djava.security.auth.login.config=jaasconfig.conf -Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true