Note: This blog relates to version 1.5.1 of Apache Directory Server - since then they have radically changed the configuration format. That is, version 1.5.3 cannot be configured as a KDC using the steps in this blog.
All the Kerberos authentication development I have done has been in a Windows environment. All of this development has required single-sign-on (SSO) between interoperable .NET WSE3 and Java applications. Therefore, Active Directory has been the KDC.
I really like having a full development environment on my laptop, so that if necessary, I can try things out at home or on my daily commute to work (an hour on the train). Without having a VPN to my work environment, the next best thing is to have my own KDC installed on my laptop.
As seems to be the case with nearly every type of Java enterprise component or solution that one needs, the Apache Software Foundation have a great Java-based solution that fits like a hand into a glove - the Apache Directory Project.
Out of the box, Apache Directory isn't configured as a KDC, and their site is kind of hard to use to locate and understand this configuration. This blog details how I setup my Apache Directory install as a working KDC for Kerberos authentication and authorisation through Java.
Download both Apache Directory Server and its front end, Apache Directory Studio. Studio is a pretty impressive front end, and looks *really* nice. A great example of how nice an application developed on the Eclipse platform can look and feel. Anyway, go to those links and download the server and the studio and install them.
Apache Directory is Java based and runs as a Windows service. It is configured using Spring, so some familiarity with Spring would be useful, but is not essential. Once it has installed, pull up a file browser and we'll dive in and Kerberos-alize it.
Configuring the Beast (Kerberos)
Under your Apache Directory Server install (C:\Program Files\Apache Directory Server), navigate to the folder instances\default\conf. This folder contains the config files for your server instance. server.xml is the Spring context configuration for your server, and contains the Kerberos config settings. Open this file up in a text editor.
Firstly, make sure that the kdcConfiguration bean is enabled (not commented out). You may also need to set the enabled flag to true (see the part highlighted in blue):
<!-- Whether to enable the Kerberos protocol. -->
<property name="enabled" value="true" />
<!-- The port to run the Kerberos protocol on. -->
<property name="ipPort" value="88" />
<!--<property name="searchBaseDn" value="ou=Users" />-->
<property name="name" value="keyDerivationService" />
<property name="kdcConfiguration" ref="kdcConfiguration" />
Apache Directory comes with a domain, EXAMPLE.COM already setup. This is fine for the purposes we need it for. Create the following .ldif file, modifying the names where appropriate (i.e. client and server names) and point the server.xml Spring context to this, as mentioned above. Note that the service principal has my laptop machine name "BULLY" in its krb5 principal - this should be changed to the name of the server that your service is going to be running on.
Stop and start the Apache Directory service (on Windows this can be done through the Services administrative tool). This causes the .ldif file to load, as long as it has never been loaded before.
# Web server identity/service principal.
cn: Web Server
sn: Web Server
# User / client principal.
# Ticket Granting Service.
cn: KDC Service
sn: KDC Service
Apache Directory Studio
Studio itself, can be used to connect to any LDAP server. To connect it to Apache Directory Server, in the connections panel (see screenshot), click the "New Connection..." button, and fill out the details as follows:
Encryption Method: No encryption
Authentication Method: Simple Authentication
Bind DN or user: uid=admin,ou=system
Bind password: secret
These will connect you to the server as the admin user.
The .ldif file that was loaded above, will have setup the client principal, the server principal, and the krbtgt service. That is, you now have a fully functioning KDC! You can now try running your Kerberos programs against the KDC. Your Kerberos settings should be similar to the following:
Apache Directory Server uses a rolling log file for its logging, which is an invaluable source for tracking down error messages and authentication failures. Under the install of the server, go to the instances\default\log folder and use a tailing program to view the log.
As you attempt to authenticate against the KDC, you will get exception stack traces and error messages printed here, which make it pretty obvious what the problem with your request was. Also note that you may have to set the rootCategory in the log4j.properties config file under instances\default\conf to DEBUG to get all the information you need (and of course, restart the Apache Directory Server).
Most likely, you will get some error messages from the KDC when initially trying to talk to it, so post them here and we can work through them!