Java doing transparent Kerberos authentication - how?
843810Jan 16 2009 — edited Jan 19 2009Hello.
We have a Java EE application that provides web services for dozens of other applications inside our company. These other applications are implemented in different languages - like C#, C, Cobol etc.
We have a security module (that runs inside Weblogic) in this application that provides an authentication mechanism using SPNEGO. So, when we receive a HTTP request, the server returns a 401 with a Negotiate header, and then the client chooses if it wants to use Kerberos or NTLM to authenticate.
What I find very odd is that the .NET clients always choose to use Kerberos to authenticate (they don't have to do anything special to accomplish this, they just pass their credentials). Java clients, on the other hand, always use NTLM (and they don't need to pass any credentials - the credentials of the user running the process is used).
I did some research trying to find how to make Java clients authenticate using Kerberos in an environment like this, but I had no luck. It seems something very simple (hell, the .net clients do this automatically), but the only thing I could find is how to create a Java Kerberos client (something that our server does, since the server handles the Kerberos tickets). But how to make web services clients authenticate using Kerberos (when the authenticator uses SPNEGO), seems kind of a mystery.
Am I missing something?