Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,90 @@
};
```

3. Open the `krb5.conf` file found in the `<IS_HOME>/repository/conf/identity` folder. By default, it contains the following configuration:

{% if is_version in ["7.0.0", "7.1.0", "7.2.0"] %}
``` java

Check failure on line 76 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should be surrounded by blank lines

en/includes/guides/authentication/enterprise-login/add-iwa-login.md:76 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "``` java"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md
[libdefaults]
default_realm = WSO2.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_kdc = true
dns_lookup_realm = false

[realms]
WSO2.COM = {
kdc = 127.0.0.1
}
```

The default configuration uses `rc4-hmac`, which is considered weak and is disabled by default in newer JDKs. Update `default_tkt_enctypes` and `default_tgs_enctypes` to use AES enctypes that are also permitted for the SPN account on your KDC. For most Active Directory environments, the following is a safe replacement:

Check warning on line 90 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'enctypes'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'enctypes'?", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 90, "column": 135}}}, "severity": "WARNING"}

Check warning on line 90 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'JDKs'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'JDKs'?", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 90, "column": 109}}}, "severity": "WARNING"}

``` java
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
```

Check failure on line 95 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should be surrounded by blank lines

en/includes/guides/authentication/enterprise-login/add-iwa-login.md:95 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md
{% else %}
``` java

Check failure on line 97 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should be surrounded by blank lines

en/includes/guides/authentication/enterprise-login/add-iwa-login.md:97 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "``` java"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md
[libdefaults]
default_realm = WSO2.COM
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
dns_lookup_kdc = true
dns_lookup_realm = false

[realms]
WSO2.COM = {
kdc = 127.0.0.1
}
```

Check failure on line 109 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should be surrounded by blank lines

en/includes/guides/authentication/enterprise-login/add-iwa-login.md:109 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md
{% endif %}
Comment on lines +75 to +110

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix MD031 failures by adding blank lines around fenced blocks in both Jinja branches.

The fences opened at Line 76 and Line 97 are not surrounded by blank lines, which is causing the lint job to fail.

Suggested patch
     {% if is_version in ["7.0.0", "7.1.0", "7.2.0"] %}
+
     ``` java
     [libdefaults]
             default_realm = WSO2.COM
@@
        }
     ```
+
 
     The default configuration uses `rc4-hmac`, which is considered weak and is disabled by default in newer JDKs. Update `default_tkt_enctypes` and `default_tgs_enctypes` to use AES enctypes that are also permitted for the SPN account on your KDC. For most Active Directory environments, the following is a safe replacement:
@@
     default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
     ```
+
     {% else %}
+
     ``` java
     [libdefaults]
             default_realm = WSO2.COM
@@
        }
     ```
+
     {% endif %}
🧰 Tools
🪛 GitHub Actions: Markdown Lint / 0_lint.txt

[error] 76-76: markdownlint-cli2: MD031/blanks-around-fences - Fenced code blocks should be surrounded by blank lines. [Context: "``` java"]

🪛 GitHub Actions: Markdown Lint / lint

[error] 76-76: markdownlint-cli2/md031: Fenced code blocks should be surrounded by blank lines [Context: "``` java"].

🪛 GitHub Check: lint

[failure] 109-109: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:109 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md


[failure] 97-97: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:97 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "``` java"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md


[failure] 95-95: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:95 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md


[failure] 76-76: Fenced code blocks should be surrounded by blank lines
en/includes/guides/authentication/enterprise-login/add-iwa-login.md:76 MD031/blanks-around-fences Fenced code blocks should be surrounded by blank lines [Context: "``` java"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md031.md

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/includes/guides/authentication/enterprise-login/add-iwa-login.md` around
lines 75 - 110, The fenced code blocks inside the Jinja conditional branches
(the ``` java blocks within the "{% if is_version in [\"7.0.0\", \"7.1.0\",
\"7.2.0\"] %}" branch and the "{% else %}" branch) are missing surrounding blank
lines; add a single blank line before and after each fenced code block so the
opening and closing ``` fences are each separated by a blank line from adjacent
text (i.e., insert a blank line after the closing ``` in both branches and
ensure there's a blank line before the opening ``` in the else branch as well)
to fix the MD031 lint failures.

Sources: Linters/SAST tools, Pipeline failures


Update the properties to match your Kerberos environment.

**Properties under `[libdefaults]`**

- `default_realm`: Identifies the default Kerberos realm for the client. Set this to your Active Directory (AD) Kerberos realm — typically the AD domain in uppercase (for example, `WSO2.COM`). If unset, a realm must be specified with every Kerberos principal.
- `default_tkt_enctypes`: The list of session key encryption types the client requests when making an `AS-REQ` (the initial exchange used to obtain a Ticket-Granting Ticket), in order of preference from highest to lowest.

Check warning on line 117 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [WSO2-IAM.TooWordy] 'obtain' is too wordy. Raw Output: {"message": "[WSO2-IAM.TooWordy] 'obtain' is too wordy.", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 117, "column": 146}}}, "severity": "WARNING"}
- `default_tgs_enctypes`: The list of session key encryption types the client requests when making a `TGS-REQ` (the exchange used to obtain service tickets), in order of preference from highest to lowest.

Check warning on line 118 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [WSO2-IAM.TooWordy] 'obtain' is too wordy. Raw Output: {"message": "[WSO2-IAM.TooWordy] 'obtain' is too wordy.", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 118, "column": 138}}}, "severity": "WARNING"}
- `dns_lookup_kdc`: Indicates whether DNS SRV records should be used to locate the KDC (and other servers) for a realm, if they are not listed explicitly under `[realms]` in `krb5.conf`.
- `dns_lookup_realm`: Indicates whether the realm of a host should be resolved via DNS TXT records. Typically left `false`, since the realm is normally derived from the principal or from `default_realm`.

**Properties under `[realms]`**

- `kdc`: The name or address of a host running a KDC for that realm. An optional port number can be appended after a colon (for example, `kdc.example.com:88`). Each realm subsection must either set this property or rely on DNS SRV records.

!!! note "About `default_tkt_enctypes` and `default_tgs_enctypes`"
When the IWA Kerberos authenticator processes a login, {{product_name}} first performs a Kerberos AS-Exchange with the KDC using the configured Service Principal (SPN) credentials. The KDC responds with the encryption type, salt, and key-derivation parameters it has on file for that SPN account, and {{product_name}} uses those to derive the long-term key needed to decrypt the user's SPNEGO ticket.

Check warning on line 127 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [WSO2-IAM.SentenceLength] Try to keep sentences short (< 30 words). Raw Output: {"message": "[WSO2-IAM.SentenceLength] Try to keep sentences short (\u003c 30 words).", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 127, "column": 190}}}, "severity": "INFO"}

- `default_tkt_enctypes` lists the enctypes {{product_name}} is willing to use for that AS-Exchange (the ticket-granting ticket request).
- `default_tgs_enctypes` covers subsequent service ticket requests.

The enctype list configured here must overlap with the enctypes permitted for the SPN account on the KDC.

**Additional property: `permitted_enctypes`**

Not included in the default `krb5.conf` shipped with {{product_name}}; add it under `[libdefaults]` when you need to constrain the algorithms used overall.

Check warning on line 136 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [WSO2-IAM.TooWordy] 'overall' is too wordy. Raw Output: {"message": "[WSO2-IAM.TooWordy] 'overall' is too wordy.", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 136, "column": 152}}}, "severity": "WARNING"}

- `permitted_enctypes`: Identifies all encryption types that are permitted for use in session key encryption.

For example, to restrict the client to AES enctypes only:

Check warning on line 140 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / Vale style check

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'enctypes'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'enctypes'?", "location": {"path": "en/includes/guides/authentication/enterprise-login/add-iwa-login.md", "range": {"start": {"line": 140, "column": 48}}}, "severity": "WARNING"}

``` java
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
```

{% if is_version in ["7.0.0", "7.1.0", "7.2.0"] %}
4. Set the Kerberos configuration file location as a JVM system property.
Comment on lines +147 to +148

Open `<IS_HOME>/bin/wso2server.sh` and add the following parameter to the JVM startup arguments so that {{product_name}} loads the updated `krb5.conf` file at startup:

``` bash
-Djava.security.krb5.conf="$CARBON_HOME/repository/conf/identity/krb5.conf"
Comment on lines +150 to +153
```
{% endif %}

## Register the IWA IdP

Now, let's register IWA as an authenticator in {{product_name}}.
Expand Down Expand Up @@ -176,7 +260,7 @@

- Use hostnames only (no IP addresses).

- Verify the configurations in the `jaas.conf` file, particularly the `isInitiator=false` property under the `Server` section (see the [Set up Active Directory for IWA](#set-up-wso2-identity-server-for-iwa) section).

Check failure on line 263 in en/includes/guides/authentication/enterprise-login/add-iwa-login.md

View workflow job for this annotation

GitHub Actions / lint

Link fragments should be valid

en/includes/guides/authentication/enterprise-login/add-iwa-login.md:263:136 MD051/link-fragments Link fragments should be valid [Context: "[Set up Active Directory for IWA](#set-up-wso2-identity-server-for-iwa)"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md051.md

- Make sure that your service principal (IS) is associated with only one account.

Expand Down
Loading