HTTP traffic encryption with Kerberos (for Vista winrm)
Hi everybody.
I am trying to connect to winrm service using Kerberos authentication and there are no any problems with it. But this service allow(by default) only Kerberos or Negotiate encrypted HTTP message. Do anybody know how to do it ? I am using standart HttpURLConnection class but after many time of unsuccessfull try of Kerberos HTTP encryption investigation I ready to use any other HTTP client which supports Kerberos authentication and message encryption.
[479 byte] By [
bioforma] at [2007-11-27 9:42:01]
# 2
> WinRM service implements WS-Management protocol and its help contains:
Transport must be one of:
HTTP - Listen for requests on HTTP (port 80)
HTTPS - Listen for requests on HTTPS (port 443)
Note: HTTP traffic by default only allows messages encrypted with
the Negotiate or Kerberos SSP.
--> I found this information:
The WS-Management specification is not tied to any specific transport mechanism, so that any SOAP-enabled transport can be used as a carrier for WS-Management messages. However, the specification does establish common usages over either HTTP or HTTPS.
Because it uses the standard web services TCP ports梡ort 80 (HTTP port) and port 443 (HTTPS port)梚t is a 揻irewall-friendly?protocol. For example, if IT administrators are using servers that can only have port 443 open because of firewall restrictions, the WS-Management protocol provides complete access between the server and the management application. Administrators can use the standard encrypted HTTP port without the need to open any additional ports on the managed server.
WS-Management supports mutual authentication, integrity, and encryption through the use of SSL. It also supports Kerberos, an authentication technology that is supported natively in many operating systems such as Windows Server 2003. The use of Kerberos enables single-sign-on capabilities to simplify security configuration.
# 3
I read the Wikipedia entry on WS-Management and also the spec on http://www.dmtf.org/standards/wbem/wsman.
In DSP0226 Appendix A, spnego-kerberos with both HTTP and HTTPS are listed. However, in the HTTP one (12.14), there is:
"While this profile supports secure authentication, because it is not encrypted, it represents security risks such as information disclosure because the SOAP traffic is in plain text. It should not be used in environments with a requirement for a high level of security."
So there's no encryption here?
# 8
First of all you should configure winrm on Windows Vista:
1. Logging with "Administrator account"
2. In "cmd" console you should execute:
a) winrm quickconfig
b) winrm set winrm/config/service @{AllowUnencrypted="true"}
c) winrm set winrm/config/service/Auth @{Basic="true"}
Then you can make HTTP request - for example you can create subscription for Windows Event Log. HTTP request(POST method) should contains XML like:
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
<env:Header>
<a:To s:mustUnderstand="true">http://UVISTA:80/wsman/</a:To>
<w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
<a:MessageID s:mustUnderstand="true">uuid:65b8a955-b07e-494e-a463-ce484173dfb1</a:MessageID>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<w:MaxEnvelopeSize>8192</w:MaxEnvelopeSize>
<w:Locale xml:lang="en-US" />
<w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
<w:OptionSet>
<w:Option Name="ReadExistingEvents" mustComply="false" />
<w:Option Name="ContentFormat">RenderedText</w:Option>
</w:OptionSet>
</env:Header>
<env:Body>
<e:Subscribe>
<e:Delivery e:Mode="http://schemas.dmtf.org/wbem/wsman/1/wsman/Pull">
<w:Heartbeats>PT900.000S</w:Heartbeats>
<w:Encoding>UTF-8</w:Encoding>
</e:Delivery>
<e:Expires>PT12H0M0.000S</e:Expires>
<w:Filter>
<QueryList>
<Query Path="Security">
<Select>*</Select>
</Query>
<Query Path="System">
<Select>*</Select>
</Query>
<Query Path="Application">
<Select>*</Select>
</Query>
</QueryList>
</w:Filter>
<w:SendBookmarks />
</e:Subscribe>
</env:Body>
</env:Envelope>
For Basic Authentication you can use local Administrator account.
For Kerberos authentication both machines should be in a same domain.
Instraction and example for HTTP request and authentication you can find on:
http://java.sun.com/javase/6/docs/technotes/guides/net/http-auth.html
