champ-wsman/KERBEROS.md
# Setting up Kerberos
In order to work against hosts in Windows domains, Kerberos typically needs to be configured.
(*Note* for Windows the user with which we connect to WinRM also needs to be in the ```WinRMRemoteWMIUsers__``` group or
else the domain admins group.)
To do this the following files are required:
* ```login.conf``` - to configure Java login configuration (JAAS). The location of this file should be set in the
```java.security.auth.login.config``` system property.
* ```krb5.conf``` - to configure Kerberos realms and KDC hosts. The location of this file should be set in the
```java.security.krb5.conf```
* (for push-based event subscriptions) a key tab file.
Also the ```javax.security.auth.useSubjectCredsOnly``` system property must be set to ```"false"```.
##Automatic configuration
A facility ```KerberosDeployer``` is provided to perform these configurations. Create a ```KerberosDeployer``` using
the ```create``` method on its companion object. Then call ```deploy``` with a ```KerberosArtifacts```
that describes the contents of the various files and settings required. In simple cases, the contents of the
files can be described in an ```application.conf``` using the ```KerberosArtifacts.simpleFromConfig``` method.
```KerberosDeployer.deploy``` writes the required contents
to random temporary files and setting the required system properties. It does this asynchronously and returns a
Scala ```Future```.
```scala
val kerberosDeployment = KerberosDeployer.create.deploy(KerberosArtifacts.simpleFromConfig)
```
This typically needs to be done only once at application startup.
# Other Kerberos-related notes
## Push event delivery
Note that for Microsoft WinRM to successfully connect to the web server receiving pushed events,
some configuration is required:
* Any user that we connect to a WinRM service as requires a service principal name (SPN).
Assuming a domain user of ```WSMan``` and a host ```host.domain.com```
running the HTTP service listening for events
use the following command on the domain controller:
```
ktpass -princ HTTP/host.domain.com@DOMAIN.COM
-mapuser WSMan@domain.com out http-web.keytab -pass password /ptype KRB5_NT_PRINCIPAL
/crypto AES128-SHA1 /kvno 0
```
**NOTE**: Do not use the ```-pass *``` option that asks for the password.
This will break the password of the WSMan user and prevent the WS-Management library from logging in to the
WinRM service at all.
* Open the properties of the WSMan user and go to the Attributes Editor tab:
* ```servicePrincipalName``` should, in this example, have a value of ```HTTP/host.domain.com```
* ```userPrincipalName``` should have a value of ```HTTP/host.domain.com@DOMAIN.COM```
By default for a user, the ```userPrincipalName```
is ```WSMan@domain.com``` and the ```servicePrincipalName``` is not set.
* Update the WSMan user properties to set 'This account supports AES 128 bit encryption' (on the Account tab)
**NOTE**: Use of the default encryption (RC4-HMAC) hits a 'bug' (rejected by Oracle/Sun - maybe
it's a Microsoft thing?) http://bugs.java.com/view_bug.do?bug_id=6717189
(see also https://community.oracle.com/thread/1527733)
* Need to copy the http-web.keytab and make it available for use within the WS-Management library.