Kerberos Class
Properties Methods Events Config Settings Errors
The Kerberos class can be used to authenticate users using Kerberos 5.0.
Syntax
ipworksauth.Kerberos
Remarks
The Kerberos class implements the Kerberos protocol defined in RFC 1510 and RFC 4120. The class provides a simple interface to easily authenticate users.
Authentication
When Authenticate is called the class will attempt to authenticate the user with the Key Distribution Center (KDC). The class will communicate with the KDCHost to obtain a service ticket and populate AuthToken. The following properties are required when calling this method:
A typical sequence of messages would be:
- KRB_AS_REQ -> KDC
- KRB_AS_REP <- KDC
- KRB_TGS_REQ -> KDC
- KRB_TGS_REP <- KDC
- AuthToken is populated with the constructed KRB_AP_REP message.
Communication with the KDCHost can be seen through the PITrail event.
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
AuthToken | The authentication token. |
KDCHost | The domain name or IP address of the Key Distribution Center (KDC). |
KDCPort | The port for the Key Distribution Center (KDC). |
KeytabFile | The Kerberos Keytab file. |
Password | The user's password. |
SPN | The Service Principal Name (SPN). |
Timeout | The timeout for the class. |
User | The name and domain of the user to authenticate. |
UseTCP | Whether TCP is used when establishing the connection. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
Authenticate | Authenticates the user. |
Config | Sets or retrieves a configuration setting. |
DoEvents | This method processes events from the internal message queue. |
Interrupt | This method interrupts the current method. |
Reset | Resets the class properties to their default values. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
Error | Fired when information is available about errors during data delivery. |
Log | Fires once for each log message. |
PITrail | Traces the messages sent to the server, and the respective replies. |
Config Settings
The following is a list of config settings for the class with short descriptions. Click on the links for further details.
CredentialsCacheFile | The credentials cache file. |
EncodeAuthToken | Whether to Base64 encode the AuthToken. |
EncryptionTypes | The encryption types used during authentication. |
IntermediateTGSCount | Specifies the number of intermediate realms. |
IntermediateTGSKDCHosts[i] | Specifies the domain name or IP address of the Key Distribution Center (KDC) associated with the TGS realm at the specified index. |
IntermediateTGSKDCPorts[i] | Specifies the port of the Key Distribution Center (KDC) associated with TGS KDC host at the specified index. |
IntermediateTGSRealms[i] | Specifies an intermediate domain or realm facilitating cross-realm authentication at the specified index. |
Krb5Config | The clients Kerberos configuration file. |
LogKerberosPackets | Whether to include the raw Kerberos packets in PITrail output. |
LogLevel | The level of detail that is logged. |
TGSKDCHost | Specifies the domain name or IP address of the Key Distribution Center (KDC) associated with the TGS realm. |
TGSKDCPort | Specifies the port of the Key Distribution Center (KDC) associated with TGS KDC host. |
TGSRealm | Specifies the domain or realm associated with the SPN (or service). |
UsePlatformKerberosAPI | Whether to use the platform Kerberos API. |
UseTCP | Whether TCP is used when establishing the connection. |
CaptureIPPacketInfo | Used to capture the packet information. |
DelayHostResolution | Whether the hostname is resolved when RemoteHost is set. |
DestinationAddress | Used to get the destination address from the packet information. |
DontFragment | Used to set the Don't Fragment flag of outgoing packets. |
LocalHost | The name of the local host through which connections are initiated or accepted. |
LocalPort | The port in the local host where the class binds. |
MaxPacketSize | The maximum length of the packets that can be received. |
QOSDSCPValue | Used to specify an arbitrary QOS/DSCP setting (optional). |
QOSTrafficType | Used to specify QOS/DSCP settings (optional). |
ShareLocalPort | If set to True, allows more than one instance of the class to be active on the same local port. |
UseConnection | Determines whether to use a connected socket. |
UseIPv6 | Whether or not to use IPv6. |
AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
FirewallData | Used to send extra data to the firewall. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
BuildInfo | Information about the product's build. |
GUIAvailable | Whether or not a message loop is available for processing events. |
LicenseInfo | Information about the current license. |
MaskSensitiveData | Whether sensitive data is masked in log messages. |
UseDaemonThreads | Whether threads created by the class are daemon threads. |
UseFIPSCompliantAPI | Tells the class whether or not to use FIPS certified APIs. |
UseInternalSecurityAPI | Whether or not to use the system security libraries or an internal implementation. |
AuthToken Property (Kerberos Class)
The authentication token.
Syntax
public byte[] getAuthToken();
Default Value
""
Remarks
This property holds the authentication token.
This property will be populated after calling Authenticate. This may be used in by another entity to authenticate to the service. For instance this may be used in HTTP to authenticate to a web service.
The content of this property is a KRB_AP_REQ message. This is sometimes referred to as an "Authentication Header". It is comprised of the service ticket that was obtained from the TGS and an encrypted authenticator.
This property is read-only.
KDCHost Property (Kerberos Class)
The domain name or IP address of the Key Distribution Center (KDC).
Syntax
public String getKDCHost(); public void setKDCHost(String KDCHost);
Default Value
""
Remarks
This property specifies the IP address (IP number in dotted internet format) or Domain Name of the Key Distribution Center (KDC).
If this property is set to a Domain Name, a DNS request is initiated and upon successful termination of the request, this property is set to the corresponding address. If the search is not successful, an error is returned.
KDCPort Property (Kerberos Class)
The port for the Key Distribution Center (KDC).
Syntax
public int getKDCPort(); public void setKDCPort(int KDCPort);
Default Value
88
Remarks
This property specifies the port for the Key Distribution Center (KDC). The default value is 88.
KeytabFile Property (Kerberos Class)
The Kerberos Keytab file.
Syntax
public String getKeytabFile(); public void setKeytabFile(String keytabFile);
Default Value
""
Remarks
This property specifies the path to a Kerberos Keytab file. If specified, the credentials are read from this file.
Password Property (Kerberos Class)
The user's password.
Syntax
public String getPassword(); public void setPassword(String password);
Default Value
""
Remarks
This property specifies the user's password. This must be set before calling Authenticate.
SPN Property (Kerberos Class)
The Service Principal Name (SPN).
Syntax
public String getSPN(); public void setSPN(String SPN);
Default Value
""
Remarks
This property specifies the Service Principal Name (SPN). This must be set before calling Authenticate.
Timeout Property (Kerberos Class)
The timeout for the class.
Syntax
public int getTimeout(); public void setTimeout(int timeout);
Default Value
60
Remarks
If the Timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.
If Timeout is set to a positive value, the class will wait for the operation to complete before returning control.
The class will use DoEvents to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not freeze and remains responsive.
If Timeout expires, and the operation is not yet complete, the class throws an exception.
Note: By default, all timeouts are inactivity timeouts, that is, the timeout period is extended by Timeout seconds when any amount of data is successfully sent or received.
The default value for the Timeout property is 60 seconds.
User Property (Kerberos Class)
The name and domain of the user to authenticate.
Syntax
public String getUser(); public void setUser(String user);
Default Value
""
Remarks
This property specifies the name and realm/domain of the user. The value specified must be in one of the following formats:
- user@domain
- domain/user
UseTCP Property (Kerberos Class)
Whether TCP is used when establishing the connection.
Syntax
public boolean isUseTCP(); public void setUseTCP(boolean useTCP);
Default Value
False
Remarks
This property specifies whether TCP is used as the transport protocol when establishing the connection. By default this property is False and UDP will be used.
Authenticate Method (Kerberos Class)
Authenticates the user.
Syntax
public void authenticate();
Remarks
This method authenticates the User.
Authentication
When Authenticate is called the class will attempt to authenticate the user with the Key Distribution Center (KDC). The class will communicate with the KDCHost to obtain a service ticket and populate AuthToken. The following properties are required when calling this method:
A typical sequence of messages would be:
- KRB_AS_REQ -> KDC
- KRB_AS_REP <- KDC
- KRB_TGS_REQ -> KDC
- KRB_TGS_REP <- KDC
- AuthToken is populated with the constructed KRB_AP_REP message.
Communication with the KDCHost can be seen through the PITrail event.
Config Method (Kerberos Class)
Sets or retrieves a configuration setting.
Syntax
public String config(String configurationString);
Remarks
Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.
These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.
To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).
To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.
DoEvents Method (Kerberos Class)
This method processes events from the internal message queue.
Syntax
public void doEvents();
Remarks
When DoEvents is called, the class processes any available events. If no events are available, it waits for a preset period of time, and then returns.
Interrupt Method (Kerberos Class)
This method interrupts the current method.
Syntax
public void interrupt();
Remarks
If there is no method in progress, Interrupt simply returns, doing nothing.
Reset Method (Kerberos Class)
Resets the class properties to their default values.
Syntax
public void reset();
Remarks
This method resets the properties to their default values.
Error Event (Kerberos Class)
Fired when information is available about errors during data delivery.
Syntax
public class DefaultKerberosEventListener implements KerberosEventListener { ... public void error(KerberosErrorEvent e) {} ... } public class KerberosErrorEvent { public int errorCode; public String description; }
Remarks
The Error event is fired in case of exceptional conditions during message processing. Normally the class throws an exception.
The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.
Log Event (Kerberos Class)
Fires once for each log message.
Syntax
public class DefaultKerberosEventListener implements KerberosEventListener { ... public void log(KerberosLogEvent e) {} ... } public class KerberosLogEvent { public int logLevel; public String message; public String logType; }
Remarks
This event fires once for each log message generated by the class. The verbosity is controlled by the LogLevel setting.
LogLevel indicates the level of the Message. Possible values are:
0 (None) | No events are logged. |
1 (Info - default) | Informational events are logged. |
2 (Verbose) | Detailed data are logged. |
3 (Debug) | Debug data are logged. |
The value 1 (Info) logs basic information, including the URL, HTTP version, and status details.
The value 2 (Verbose) logs additional information about the request and response.
The value 3 (Debug) logs the headers and body for both the request and response, as well as additional debug information (if any).
LogType identifies the type of log entry. Possible values are:
- Info
- Verbose
- Debug
PITrail Event (Kerberos Class)
Traces the messages sent to the server, and the respective replies.
Syntax
public class DefaultKerberosEventListener implements KerberosEventListener { ... public void PITrail(KerberosPITrailEvent e) {} ... } public class KerberosPITrailEvent { public int direction; public String message; }
Remarks
The PITrail event is useful for debugging purposes. It shows all the interaction between the client and the server. To include the raw packets set LogKerberosPackets to True.
The Message parameter contains the full text of the message. The Direction parameter shows the originator of the message:
0 (Client) | The Message originates from the client. |
1 (Server) | The Message originates from the server. |
2 (Info) | The Message is an informative message originating from the client software (the class code). |
Config Settings (Kerberos Class)
The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.KERBEROS Config Settings
Alternatively, this setting can specify the path to a directory containing a collection of credential cache files. When a directory is specified, the path must be prefixed with DIR:. For example: DIR:C:\\krbccdir\\
- rc4-hmac
- des-cbc-md5
- aes128-cts-hmac-sha1-96
The default value is "des-cbc-md5,rc4-hmac,aes128-cts-hmac-sha1-96".
component.Config("IntermediateTGSCount=2");
component.Config("IntermediateTGSRealms[0]=example2.com");
component.Config("IntermediateTGSKDCHosts[0]=kdc.example2.com");
component.Config("IntermediateTGSKDCPorts[0]=88"); // default
component.Config("IntermediateTGSRealms[1]=example4.com");
component.Config("IntermediateTGSKDCHosts[1]=kdc.example4.com");
component.Config("IntermediateTGSKDCPorts[1]=88"); // default
When specified, the class will parse the default realm present in the configuration file (under the "libdefaults" section), along with all listed realms and KDCs (under the "realms" section). The default realm will be used during authentication, unless a domain/realm is specified in the User property. Note that in this case, the User property may be set to only a username to allow the class to use the appropriate default realm.
Assuming a default realm is found, the primary KDC associated with this realm will be used during authentication, assuming KDCHost is not specified. Additional KDCs will be used only if authentication with the primary KDC fails. Note if no KDCs are specified for a realm and "dns_lookup_kdc" is set to true in the configuration file, the class will perform a DNS query in an attempt to resolve the KDCs host name and port.
All additional realms will be stored as intermediate realms in the case cross-realm authentication is needed.
0 (None) | No events are logged. |
1 (Info - default) | Informational events are logged. |
2 (Verbose) | Detailed data are logged. |
3 (Debug) | Debug data are logged. |
The value 1 (Info) logs basic information, including the URL, HTTP version, and status details.
The value 2 (Verbose) logs additional information about the request and response.
The value 3 (Debug) logs the headers and body for both the request and response, as well as additional debug information (if any).
Note: This functionality is only available on Windows.
UDP Config Settings
The default value for this setting is False.
Note: This configuration setting is available only in Windows.
The default value is false.
Note: This configuration setting is available only in Windows.
In multihomed hosts (machines with more than one IP interface), setting LocalHost to the value of an interface will make the class initiate connections (or accept in the case of server classs) only through that interface.
If the class is connected, the LocalHost setting shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multihomed hosts (machines with more than one IP interface).
Setting this to 0 (default) enables the system to choose a port at random. The chosen port will be shown by LocalPort after the connection is established.
LocalPort cannot be changed once a connection is made. Any attempt to set this when a connection is active will generate an error.
This configuration setting is useful when trying to connect to services that require a trusted port on the client side. An example is the remote shell (rsh) service in UNIX systems.
Note: This configuration setting uses the qWAVE API and is available only on Windows 7, Windows Server 2008 R2, and later.
Note: This configuration setting uses the qWAVE API and is available only on Windows Vista and Windows Server 2008 or above.
Note: QOSTrafficType must be set before setting Active to True.
The default value for this setting is False.
The default value for this setting is False.
Socket Config Settings
Note: This option is not valid for User Datagram Protocol (UDP) ports.
Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the class is activated the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.
Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the class is activated the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.
Base Config Settings
In some non-GUI applications, an invalid message loop may be discovered that will result in errant behavior. In these cases, setting GUIAvailable to false will ensure that the class does not attempt to process external events.
- Product: The product the license is for.
- Product Key: The key the license was generated from.
- License Source: Where the license was found (e.g., RuntimeLicense, License File).
- License Type: The type of license installed (e.g., Royalty Free, Single Server).
- Last Valid Build: The last valid build number for which the license will work.
This setting only works on these classes: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.
The Java edition requires installation of the FIPS-certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.
The following classes must be imported in the application in which the component will be used:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
When UseFIPSCompliantAPI is true, Secure Sockets Layer (SSL)-enabled classes can optionally be configured to use the Transport Layer Security (TLS) Bouncy Castle library. When SSLProvider is set to sslpAutomatic (default) or sslpInternal, an internal TLS implementation is used, but all cryptographic operations are offloaded to the Bouncy Castle FIPS provider to achieve FIPS-compliant operation. If SSLProvider is set to sslpPlatform, the Bouncy Castle JSSE will be used in place of the internal TLS implementation.
To enable the use of the Bouncy Castle JSSE take the following steps in addition to the steps above. Both the Bouncy Castle FIPS provider and the Bouncy Castle JSSE must be configured to use the Bouncy Castle TLS library in FIPS mode. Obtain the Bouncy Castle TLS library from https://www.bouncycastle.org/fips-java/. The jar file should then be installed in a JRE search path.
The following classes must be imported in the application in which the component will be used:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
//required to use BCJSSE when SSLProvider is set to sslpPlatform
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
The Bouncy Castle provider must be added as a valid provider and also must be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
//required to use BCJSSE when SSLProvider is set to sslpPlatform
Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS"));
//optional - configure logging level of BCJSSE
Logger.getLogger("org.bouncycastle.jsse").setLevel(java.util.logging.Level.OFF);
//configure the class to use BCJSSE
component.setSSLProvider(1); //platform
component.config("UseFIPSCompliantAPI=true");
Note: TLS 1.3 support requires the Bouncy Castle TLS library version 1.0.14 or later.
FIPS mode can be enabled by setting the UseFIPSCompliantAPI configuration setting to true. This is a static setting that applies to all instances of all classes of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.
For more details, please see the FIPS 140-2 Compliance article.
Note: Enabling FIPS compliance requires a special license; please contact sales@nsoftware.com for details.
Setting this configuration setting to true tells the class to use the internal implementation instead of using the system security libraries.
This setting is set to false by default on all platforms.
Trappable Errors (Kerberos Class)
kerberos Errors
950 | Busy performing other action. |
951 | Invalid username. |
952 | Received error message. The error message contains the description. |
953 | Message integrity check error. |
954 | Unsupported encryption type. |
UDP Errors
104 | UDP is already Active. |
106 | You cannot change the LocalPort while the class is Active. |
107 | You cannot change the LocalHost at this time. A connection is in progress. |
109 | The class must be Active for this operation. |
112 | You cannot change MaxPacketSize while the class is Active. |
113 | You cannot change ShareLocalPort option while the class is Active. |
114 | You cannot change RemoteHost when UseConnection is set and the class Active. |
115 | You cannot change RemotePort when UseConnection is set and the class is Active. |
116 | RemotePort cannot be zero when UseConnection is set. Please specify a valid service port number. |
117 | You cannot change UseConnection while the class is Active. |
118 | Message cannot be longer than MaxPacketSize. |
119 | Message too short. |
434 | Unable to convert string to selected CodePage. |
TCP/IP Errors
10004 | [10004] Interrupted system call. |
10009 | [10009] Bad file number. |
10013 | [10013] Access denied. |
10014 | [10014] Bad address. |
10022 | [10022] Invalid argument. |
10024 | [10024] Too many open files. |
10035 | [10035] Operation would block. |
10036 | [10036] Operation now in progress. |
10037 | [10037] Operation already in progress. |
10038 | [10038] Socket operation on nonsocket. |
10039 | [10039] Destination address required. |
10040 | [10040] Message is too long. |
10041 | [10041] Protocol wrong type for socket. |
10042 | [10042] Bad protocol option. |
10043 | [10043] Protocol is not supported. |
10044 | [10044] Socket type is not supported. |
10045 | [10045] Operation is not supported on socket. |
10046 | [10046] Protocol family is not supported. |
10047 | [10047] Address family is not supported by protocol family. |
10048 | [10048] Address already in use. |
10049 | [10049] Cannot assign requested address. |
10050 | [10050] Network is down. |
10051 | [10051] Network is unreachable. |
10052 | [10052] Net dropped connection or reset. |
10053 | [10053] Software caused connection abort. |
10054 | [10054] Connection reset by peer. |
10055 | [10055] No buffer space available. |
10056 | [10056] Socket is already connected. |
10057 | [10057] Socket is not connected. |
10058 | [10058] Cannot send after socket shutdown. |
10059 | [10059] Too many references, cannot splice. |
10060 | [10060] Connection timed out. |
10061 | [10061] Connection refused. |
10062 | [10062] Too many levels of symbolic links. |
10063 | [10063] File name is too long. |
10064 | [10064] Host is down. |
10065 | [10065] No route to host. |
10066 | [10066] Directory is not empty |
10067 | [10067] Too many processes. |
10068 | [10068] Too many users. |
10069 | [10069] Disc Quota Exceeded. |
10070 | [10070] Stale NFS file handle. |
10071 | [10071] Too many levels of remote in path. |
10091 | [10091] Network subsystem is unavailable. |
10092 | [10092] WINSOCK DLL Version out of range. |
10093 | [10093] Winsock is not loaded yet. |
11001 | [11001] Host not found. |
11002 | [11002] Nonauthoritative 'Host not found' (try again or check DNS setup). |
11003 | [11003] Nonrecoverable errors: FORMERR, REFUSED, NOTIMP. |
11004 | [11004] Valid name, no data record (check DNS setup). |