How to do Kerberos client authentication .Net api 7.1

Question

I am using solace as middle-ware for client and server communication. I want to move from none to kerberos authentication.

Servers are unix and already configured for kerberos authentication. Client is .Net desktop gui application. And there are be multiple users.

I have some question regarding client kerberos authentication.

1. Do we need keytab file to connect to server and keytab file should be common for all users Or keytab file should be create with each users credentials.
2. What if the password changes?
3. Do we need to ask users to install java to get kinit or krb5?
4. What are the setting/configuration required on client side?

Thanks in advance..!

Answer 1

You do need to add a keytab to Solace's /keytabs directory. To configure the keys from the keytab tab to Solace's registered key table after the file has been added, enter the following Kerberos Keytab Authentication CONFIG CLI command:

solace(config-kerberos keytab)# add-keytab <keytab-filename> <index>

The number of keytab files is completely dependent on your setup. Typically, there will one keytab file per IP address that is common for all users but if your setup requires greater control, you can add up to a total of 48 keytabs.

When you change your Kerberos password, you will need to recreate and re-add all your keytabs.

The client-side API requirements for a client to use Kerberos authentication do include using the appropriate Java distribution or installed Kerberos libraries for the messaging API that is used. For .NET applications, the SSPI that is distributed with Windows is used, so Java is not required.

A client application must also set the authentication scheme to Kerberos for the respective session. In .NET, this is done with the SessionProperties.AuthenticationSchemeKRB session property. You can also set the Service Principle Name with the Session.Properties.KRBServiceName session property.