Layer7 API Management

Hi,

I've managed to get the Websocket connection working with the tactical websocket assertion. However, I'm having trouble with kerberos authentication.

I've added "Require Windows Authentication" assertion to my inbound policy, however I do not see the 401 being sent ( through wireshark).

Anyone?

Hi sharkkae,

I know this might sound obvious, but have you reviewed the documentation for the Require Windows Integrated Authentication Credentials assertion? There are many little notes that can be helpful in that documentation for this use-case with that particular assertion. One of those many notes may apply to your environment. There are a few items to note on there, but the ones I think may be the most applicable to you is noted in the big "Note" section in the middle of the page, which states the following verbatim:

Notes: (1) The policy fragment above does not support delegated credentials use case. It is intended to support authentication of the user credentials using available authentication assertions only. (2) Before using the Require Windows Integrated Authentication Credentials assertion, ensure the procedure under Configure the Gateway for Windows Domain Login has been performed.

Please review the documentation on that assertion, ensure that all the prerequisites are successfully completed, and then update this thread with the current status and preferably snippets of logs or audits showing any errors when running a test against the service using that assertion.

Thank you.

Sincerely,

Dustin Dauncey

Sr Support Engineer, Global Customer Success

Email: Dustin.Dauncey@ca.com

Phone: +1 800 225 5224 ,48385

Phone if outside North America - https://tinyurl.com/CAContactSupport

CA API Management Community: https://tinyurl.com/CAAPIMCommunity

Hi Dustin,

I've setup up the environment for the use case of Kerberos authentication and delegation prior and both of those cases work fine. However unable to get Kerberos authentication to work with websocket policies.  

In the documentation, it speaks of possible scenarios, one of which is the security aspect

WebSocket Scenarios - CA API Gateway - 9.1 - CA Technologies Documentation 

Instead of HTTP basic credentials, i would like to authenticate with Kerberos as this would allow seamless integration.

As per the scenario, it mentions a 401 error returned on the failure to submit credentials prior to the upgrade of protocol. However, I do not see the 401 returned (in wireshark) and was wondering if this feature is supported.

Regards,

Shawn 

Hi Shawn,

Can you provide the version you are using for the WebsocketAssertion?

Michael

Shawn,

You can refer to Manage WebSocket Connections - CA API Gateway - 9.2 - CA Technologies Documentation for documentation.

Please note, if you have setup the web socket connection before switching to the Tactical's Websocket Connection.  You would have to ensure the required (basic/windows) credential assertion etc. in the Connection policy instead of the inbound policy.  

I have tried the following:

1. Setup 9.1 with MAG license.
2. Remove 9.1 Websocket assertion and put in WebSocketAssertion-9.1.00-47306.aar
3. Created a policy with only the "Require Windows Integrated Authenticated Credentials" assertion
4. Added a Manage WebSocket Connections (mapped to a echo server) with connection policy set to the above policy
5. Opened wireshark and filtered on the websocket connection port
6. Initiate the web socket connection
7. I see the http 401 message in Wireshark capture 

Michael

Hi Michael,

Thanks for the update. Managed to get it to work on my end.

I guess the documentation on websocket scenario is a tad outdated.

Regards,

Shawn