Kerberos Authentication

Question

Hi. I'm trying to use SoapUI 5.0.0 to execute a request against a web service using SPNEGO/Kerberos authentication. The machine running it is an Active Directory joined Windows 7 client. However I always get back an HTTP 401 Unauthorized. Switching to NTLM using the same set of credentials works just fine. I've come across this link http://www.soapui.org/soap-and-wsdl/spn ... ation.html which describes how to make this work for version 4.6.0, however I'm not finding the soapUI-pro-&lt;version&gt;.vmoptions file (maybe because I'm not using the Pro version). Do you know if there's an alternate procedure to be used ?

nmrao · Answer

If you are using free edition, try adding the mentioned system property(i mean, the link you pointed in your post) in JAVA_OPTS of SOAPUI_HOME/bin/soapui.sh /bat

mchong · Answer

Hi,I am trying to test the "SPNEGO/kerberos" authorization from soapUI 5.1.3 with "Authenticate Preemptively" being set in the global HTTP settings.&nbsp;&nbsp;&nbsp;Upon testing, however, no authorization header seemed to be sent to the server according to the http log below.&nbsp;&nbsp;Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "POST /IHIS HTTP/1.1[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Accept-Encoding: gzip,deflate[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Content-Type: text/xml;charset=UTF-8[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "SOAPAction: "http://warehouse.acme.com/ws/listProducts"[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Content-Length: 282[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Host: explore.apim.ca:8080[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Connection: Keep-Alive[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://warehouse.acme.com/ws"&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;soapenv:Header/&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;soapenv:Body&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;ws:listProducts&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;ws:delay&gt;1&lt;/ws:delay&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;/ws:listProducts&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;/soapenv:Body&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "&lt;/soapenv:Envelope&gt;"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "HTTP/1.1 401 Unauthorized[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Server: Apache-Coyote/1.1[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "WWW-Authenticate: Negotiate[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "L7-Policy-URL: http://explore.apim.ca:8080/ssg/policy/disco?serviceoid=4c0fe71b6a3370793a6a38b0f454ae9b[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Content-Length: 23[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Date: Sun, 21 Jun 2015 15:52:17 GMT[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Authentication Required"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "POST /IHIS HTTP/1.1[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Accept-Encoding: gzip,deflate[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Content-Type: text/xml;charset=UTF-8[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "SOAPAction: "http://warehouse.acme.com/ws/listProducts"[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Content-Length: 282[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Host: explore.apim.ca:8080[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "Connection: Keep-Alive[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://warehouse.acme.com/ws"&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;soapenv:Header/&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;soapenv:Body&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;ws:listProducts&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;ws:delay&gt;1&lt;/ws:delay&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;/ws:listProducts&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; " &lt;/soapenv:Body&gt;[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&gt;&gt; "&lt;/soapenv:Envelope&gt;"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "HTTP/1.1 401 Unauthorized[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Server: Apache-Coyote/1.1[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "WWW-Authenticate: Negotiate[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "L7-Policy-URL: http://explore.apim.ca:8080/ssg/policy/disco?serviceoid=4c0fe71b6a3370793a6a38b0f454ae9b[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Content-Length: 23[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Date: Sun, 21 Jun 2015 15:52:17 GMT[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "[][
]"Sun Jun 21 23:52:14 SGT 2015:DEBUG:&lt;&lt; "Authentication Required"&nbsp;I've also done the recommendations as specified in&nbsp;http://www.soapui.org/soap-and-wsdl/spnego/kerberos-authentication.html to resolve this issue but these are not working also. Is this a known bug in soapUI 5.1.3?&nbsp;

mschwarz · Answer

Hi,&nbsp;it seems like I have exactly the same issue. Has this ever been resolved?&nbsp;Best regards,Matthias

nmrao · Answer

What version are you using? See this documentation link which says it is addressed.Can you please try the latest version if not already?https://www.soapui.org/soap-and-wsdl/spnego/kerberos-authentication.html#_ga=1.181474341.347913636.1434163329

mschwarz · Answer

Hi,&nbsp;thanks for the response! I've tried with version 5.3.0. With the basic steps I'm running into the same issue as described above, with the advanced configuration which involves a JAAS config and a keytab file it works fine. I guess that's the way to go then.&nbsp;Best regards,Matthias

Forum Discussion

Kerberos Authentication

6 Replies

Recent Discussions

Log4j vulnerability (CVE-2025-68161)

Signature\Encryption tags missing in Security Header

CVE-2024-7565 and CVE-2017-16670 vulnabilities

Related Content

ReadyAPI throws 401 unauthorized error when accessing kerberos authenticated wsdl.

Unable to authenticate license in Ready API Login button unresponsive

Kerberos authentication