Authenticating with Active Directory via Kerberos
Question
I'm working on building an android application which requires different levels of authentication, and I would like to do so using Active Directory.
From what I've read, using Kerberos is the way Microsoft suggests. How do I do this for Android? I see the javax.security.auth doc , but it doesn't tell me too much.
I also saw a note somewhere that Kerberos does not contain user groups - is this true? In that case, would I have to somehow combine LDAP as well?
EDIT
The main goal here is achieving an LDAP connection to the active directory in order to authenticate and give the user correct permissions for the enterprise Android application. The real barrier here is the fact that Google left out many of the Java Web Services API from it's port to android. (ie javax.naming ) Also, many of the connection mechanisms in the Android jar seem to be only included as legacy code, and they in fact actually do nothing.
4 answers
solution1
3 2011-10-26 02:00:55
I found the documentation here to be really useful when I was writing my code to authenticate with my Kerberos server. Here's how I authenticate with my kerberos server, but you might need to tweak it for yours (hence me including the link):
public static final int REGISTRATION_TIMEOUT = 30 * 1000; // ms
private static DefaultHttpClient httpClient;
private static final AuthScope SERVER_AUTH_SCOPE =
new AuthScope("urls to kerberos server", AuthScope.ANY_PORT);
public static DefaultHttpClient getHttpClient(){
if(httpClient == null){
httpClient = new DefaultHttpClient();
final HttpParams params = httpClient.getParams();
HttpConnectionParams.setConnectionTimeout(params, REGISTRATION_TIMEOUT);
HttpConnectionParams.setSoTimeout(params, REGISTRATION_TIMEOUT);
ConnManagerParams.setTimeout(params, REGISTRATION_TIMEOUT);
}
return httpClient;
}
public static boolean authenticate(String username, String password)
{
UsernamePasswordCredentials creds =
new UsernamePasswordCredentials(username, password);
DefaultHttpClient client = getHttpClient();
client.getCredentialsProvider().setCredentials(SERVER_AUTH_SCOPE, creds);
boolean authWorked = false;
try{
HttpGet get = new HttpGet(AUTH_URI);
HttpResponse resp = client.execute(get);
authWorked = resp.getStatusLine().getStatusCode() != 403
}
catch(IOException e){
Log.e("TAG", "IOException exceptions");
//TODO maybe do something?
}
return authWorked;
}
solution2
3 ACCPTED 2011-10-26 16:49:48
For that you might be better off just staying completely within LDAP and don't venture into the kerberos. Kerberos gives you advantage of Single Sign On, but since your android app doesn't have any credentials already in place it doesn't really help you. I guess google had their own reasons not to include the javax.naming into the distro. It is pretty heavy stuff.
You might be able to either port the stuff yourself from java runtime library sources, or might be better off using native LDAP library. For example this one .
Just remember to use secure LDAP connection or at least secure authentication method. More info about this is here .
solution3
2 2011-10-25 16:45:09
Have you looked at using JCIFS ? Based on these questions [1] [2] and this site , JCIFS works under Android. The JCIFS site has a simple NTLM Authenticator example that could help get you started. However, based on this Samba list message , you will need to use LDAP and custom code to get the user's groups.
solution4
1 2011-10-16 18:06:42
Try this tutorial from Oracle. My code likes a charm. Hopefully everything is included in Android's VM distro.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.