Authenticating with Active Directory via Kerberos

12
votes

I'm working on building an android application which requires different levels of authentication, and I would like to do so using Active Directory.

From what I've read, using Kerberos is the way Microsoft suggests. How do I do this for Android? I see the javax.security.auth doc, but it doesn't tell me too much.

I also saw a note somewhere that Kerberos does not contain user groups - is this true? In that case, would I have to somehow combine LDAP as well?

EDIT

The main goal here is achieving an LDAP connection to the active directory in order to authenticate and give the user correct permissions for the enterprise Android application. The real barrier here is the fact that Google left out many of the Java Web Services API from it's port to android. (i.e. javax.naming) Also, many of the connection mechanisms in the Android jar seem to be only included as legacy code, and they in fact actually do nothing.

4
javaandroidauthenticationactive-directorykerberos
What exactly are you trying to accomplish? Are you trying to reach out from your android device to some external servers and use kerberos as an authentication mechanism? Or you are trying to log in users locally using their domain credentials? Also note that you will need to have an open connection from your android device to your domain controller. This means that if you want your authentication scheme to work over the air you have to open up port 88 to your domain controller to the entire world. - Vlad
I'm trying to authenticate users and give them access to specific parts of the android application based on the group memberships they have in the Active Directory. I have found one way to do it, I think, but I haven't been able to test it just yet on the Android application. - Cody

4 Answers

3
votes

For that you might be better off just staying completely within LDAP and don't venture into the kerberos. Kerberos gives you advantage of Single Sign On, but since your android app doesn't have any credentials already in place it doesn't really help you. I guess google had their own reasons not to include the javax.naming into the distro. It is pretty heavy stuff.

You might be able to either port the stuff yourself from java runtime library sources, or might be better off using native LDAP library. For example this one.

Just remember to use secure LDAP connection or at least secure authentication method. More info about this is here.

3
votes

I found the documentation here to be really useful when I was writing my code to authenticate with my Kerberos server. Here's how I authenticate with my kerberos server, but you might need to tweak it for yours (hence me including the link):

public static final int REGISTRATION_TIMEOUT = 30 * 1000; // ms

private static DefaultHttpClient httpClient;

private static final AuthScope SERVER_AUTH_SCOPE =
    new AuthScope("urls to kerberos server", AuthScope.ANY_PORT);


public static DefaultHttpClient getHttpClient(){
    if(httpClient == null){
      httpClient = new DefaultHttpClient();
      final HttpParams params = httpClient.getParams();
      HttpConnectionParams.setConnectionTimeout(params, REGISTRATION_TIMEOUT);
      HttpConnectionParams.setSoTimeout(params, REGISTRATION_TIMEOUT);
      ConnManagerParams.setTimeout(params, REGISTRATION_TIMEOUT);
    }
    return httpClient;
  }

  public static boolean authenticate(String username, String password)
  {

    UsernamePasswordCredentials creds =
      new UsernamePasswordCredentials(username, password);
    DefaultHttpClient client = getHttpClient();
    client.getCredentialsProvider().setCredentials(SERVER_AUTH_SCOPE, creds);

    boolean authWorked = false;
    try{
      HttpGet get = new HttpGet(AUTH_URI);
      HttpResponse resp = client.execute(get);
      authWorked = resp.getStatusLine().getStatusCode() != 403
    }
    catch(IOException e){
      Log.e("TAG", "IOException exceptions");
      //TODO maybe do something?
    }
    return authWorked;
  }
2
votes

Have you looked at using JCIFS? Based on these questions [1] [2] and this site, JCIFS works under Android. The JCIFS site has a simple NTLM Authenticator example that could help get you started. However, based on this Samba list message, you will need to use LDAP and custom code to get the user's groups.

1
votes

Try this tutorial from Oracle. My code likes a charm. Hopefully everything is included in Android's VM distro.