Liberty SPNEGO with multiple Kerberos Realms

Can Liberty support multiple Kerberos Realms so that two different applications running on the same JVM can authenticate users from different kerberos realms?

Classic WebSphere supports HTTP filters that support setting the Kerberos Realm Name, so that SPNs from different realms can be used:
https://www.ibm.com/support/knowledgecenter/SS7K4U_7.0.0/com.ibm.websphere.soafep.multiplatform.doc/info/ae/ae/rsec_SPNEGO_filter_commands.html

krb5Realm: This parameter is not required. Use to supply a Kerberos realm name. If the krb5Realm parameter is not specified, the default Kerberos realm name in the Kerberos configuration file is used.

So, a single WAS server can support multiple REALMs.

Is this possible in Liberty? Could this be handled by specifying mutliple spnego elements?

The multiple spnego elements is suggested in the following link which sets an id for the spnego element, which suggests multiple can be set:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_spnego_config.html

Is setting the Realm Name in the servicePrincipalNames supported?
servicePrincipalNames=”HTTP/myprinc.ex2.com@EX2.COM”

Related:

Leave a Reply