Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos encryption for HTTP traffic

843810Oct 31 2007 — edited Nov 9 2007
Hello
I am writing client for WinRM service(Windows Vista). This service use SOAP protocol for communication.
And I cannot make subscription for Windows events using Push method.
The issue is when I try to make events subscription - Vista tries to test connection with my server, but I don't know what should I send back for test connection request to Vista WinRM... :(
I didn't find it in MSDN.
Subscription request is:
-----
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ew="http://www.example.com/warnings'" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
<env:Header>
<a:To s:mustUnderstand="true">HTTP://winrmcient:80/wsman/</a:To>
<w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
<a:MessageID s:mustUnderstand="true">uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:MessageID>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<w:MaxEnvelopeSize>262144</w:MaxEnvelopeSize>
<w:Locale xml:lang="en-US"/>
<w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
<w:OptionSet>
<w:Option Name="ReadExistingEvents" mustComply="false"/>
<w:Option Name="ContentFormat">RenderedText</w:Option>
</w:OptionSet>
</env:Header>
<env:Body>
<e:Subscribe>
<e:Delivery e:Mode="http://schemas.xmlsoap.org/ws/2004/08/eventing/DeliveryModes/Push">
<e:NotifyTo>
<a:Address>http://Antares:443</a:Address>
</e:NotifyTo>
</e:Delivery>
<e:Expires>PT12H0M0.000S</e:Expires>
<w:Filter>
<QueryList>
<Query Path="Security">
<Select>*</Select>
</Query>
<Query Path="System">
<Select>*</Select>
</Query>
<Query Path="Application">
<Select>*</Select>
</Query>
</QueryList>
</w:Filter>
<w:SendBookmarks/>
</e:Subscribe>
</env:Body>
</env:Envelope>

-----
WinRM connection test request is request with empty content length and with header:
-----

Host=[Antares:443], Content-type=[application/soap+xml;charset=UTF-16], Content-length=[0], Connection=[Keep-Alive], Authorization=[Kerberos YIIE4wYJKoZIhvcSAQICAQBuggTSMIIEzqADAgEFoQMCAQ6iBwMFACAAAACjggOLYYIDhzCCA4OgAwIBBaEKGwhCUS5MT0NBTKIaMBigAwIBAqERMA8bBEhUVFAbB0FudGFyZXOjggNSMIIDTqADAgEXoQMCAQ2iggNABIIDPHstoHWBhepDeU/h3o6Uuzjtgxo5SlVRVaa9JjAUcEDb4k+DKQrtwia/GtvDsmoZ4VgE8gGpJmcuZHNUEBHwEmn48RAAuo/f3o/D7hBJ3XygexN8yPZFYtElT1CvtoVOuvox83xOr9TdUn+Dd12/AupkAIxwbdHNhftcOCajJOv3NnFGoeF5+NA54VguaW1XGZxoC1mviITkfeDW0rZnKQ3aJxRDG0kKfHvWYdIlifRydQkTY/XMGHBFvd8kA8Q3M6WYVmuCKLjjJwvHjfZ56GWUpax7MlYmOGs7ncHLptCyxiV7RTiP0c00MViangq4CoioLyPwdysG7V8oyMGcc32WpsWCbXJNm5N8ijy7JxRd4W2zfzL6rpkGFQ2F0AfsH/b+Dz45sYXKyEgJajA5TK/cPiECTIMbXnkehz2yC5mjY4XalhXf4U1j/D5E2ApbG0ITUrp10a6C/dy5yEtc4CNtVHDQ30BrdZS+vxO2PwwIKZovvvlzIyddgOqyKaKhs9i3eMfF61IjhUpquK4zZYYZEqpQtkgSaDz8rurD4M5Z1CzzlID5nlVg9YsA9JhPejsdU9Rmt51OjCu8rBvd+Kb7AMkujDogOli4NVNKssdLOJl7m3ulMQTs5AFT1O7YOW4SQsos1g2UEW+JzE+sj1IGdia8xmjxuZOsWks4QgX9O0PL3LNVE/iGgR2dOQhRzhuwEJEUfHpy1BIqZzbG48KkkNxFZLgeM+ztnrssw/zaD1vTs4+EF7KPVp1ldBwPId2P6PIyd4nyX+1tJt2SYHKyk0mdxkCw8pTAfrNxJGj9Ku573YcPfFdGhTtTTzo1CJPwSQFoNlEhh7wriaED/fseIEPPLASR+wIzGVPNBb5mTCd/vCPrwsShZl0wmtwUiDgNAu2732GVb7MDSKIc/hOjZAdFqoh3KzvWUSIsdrl1Mezcjb6VSuM87f4pWaR7f0RMexNB6ZEL0RzncbMXyhmUcqNaVyCWCgWN/ovKmWt53FkBQZkZIxLZUVyi6As3bhsfVxrw6dU4oKpHesDKldHFOz1fuEv8UKu6s7DaAd1VXiLmU4uzUSfiYH0iQCYkvf1sVqKBVyrFXHHQTKSCASgwggEkoAMCAReiggEbBIIBF2DcdvxWBV/D29hIBpQ8sJk8XF+q9tVNBHm3bFXtetxKwk1UxO64r7U5YQ4kqgvAyKTq/aL9V/QrO5x1M0mbqjKrfo/ehKGy5GGUZeQ0TYhkkmdNq8Mxo2CR5IIWqzEIaB00qSkombg/3IvniUoKbHfvoGMdr63DqRr8AbmXzHK+9kfyYMkkSMn72spoPBYadYAJZ02VUJp5fdNIqsMTREfEf3qfJNdvzaCRN/BcHVJ0C/5TChf8gFMThZzHShr2j1OdWBEZ/uLsMl2INqW0/AcCfLopSTcwgip/E63Zz/mKFCq2VIPp1++KvWPUKPalzdK9Pg/AwzXM6/+SBXdWfkUJGUW9x2nHFuZ6IeoAlhS2hvNLcjJ2ww==], User-agent=[Microsoft WinRM Client]
-----
I tried to send empty response(with the same test request header) for test request but it doesn't take any effect.

WinRM subscription response is:
-----

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/fault</a:Action>
<a:MessageID>uuid:B83898C7-9F93-4E7A-8C8C-B72C7D189908</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>e:EventSourceUnableToProcess</s:Value>
</s:Subcode>
</env:Code>
<env:Reason xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<s:Text xml:lang="en-US">The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </s:Text>
</env:Reason>
<s:Detail>
<w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/UnusableAddress</w:FaultDetail>
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858901" Machine="">
<f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message>
</f:WSManFault>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>

-----

In WinRM documentation I see:
+Note: HTTP traffic by default only allows messages encrypted with
the Negotiate or Kerberos SSP.+
But I use simple java HttpConnection and there are no any references to Kerberos in JavaDoc for this class... :(
One more - I use BASIC authentication.
Does anybody know what should I send back for connection test request.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Dec 7 2007
Added on Oct 31 2007
#kerberos-java-gss-jgss
9 comments
811 views