How to use Java with Kerberos

Article #:

Product

Castle

1733

All

All

Summary

Java does not support Kerberos and therefore may not work with the proxy.

This article describes how to force Java through a different proxy, other than the system settings proxy.

Problem

Oracle Java supports NTLM authentication through proxies but does not support Kerberos.

Given the widespread use of Java applets in web sites, this can make switching to Kerberos difficult

Solution

1. Configure Kerberos authentication on the primary proxy port but also create a secondary port running NTLM authentication — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm
2. Use group policy to deploy a .config file to each workstation to:

%WinDir%\Oracle\Java\Deployment\deployment.config

3. This file should contain two lines:
deployment.system.config="http://<YOUR-INTRANET-SERVER>/deployment.properties"

(URL to deployment file hosted on a web server)

deployment.system.config.mandatory=false

(Set to true to enforce settings — Java will not run if it cannot fetch the deployment file)

4. Create a deployment.properties file to a web server accessible to all clients (typically, an internal intranet server).

This file will contain any options you wish to configure for Java.

5. Add the following to deployment.properties to force Java to use a different proxy than the browser:
deployment.proxy.bypass.list=<local_addresses_to_bypass_proxy>

(For example, deployment.proxy.bypass.list="10.0.1.1,smoothwall,smoothwall.local")

deployment.proxy.bypass.local=true
deployment.proxy.http.host=<smoothwall_IP_address>

(For example, deployment.proxy.http.host=10.0.1.1)

deployment.proxy.http.port=<port_for_NTLM_authentication_policy>

(For example, deployment.proxy.http.port=9090)

deployment.proxy.type=1
deployment.proxy.same=true

Tip: Use the same address and port for HTTPS/FTP traffic.

Note: If you are hosting the deployment.properties file on an IIS web server, ensure you have added a text mime type for .properties files otherwise the server will refuse to serve it. Further technical details on deploying Java can be found here: http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/properties.html.

Attribution:

Last updated:

Author:

Contributions by:

23 August 2016

 

DMT

 

Copyright © 2000-2016 Smoothwall All rights reserved.