Authenticating with Active Directory via Kerberos

Question

I\'m working on building an android application which requires different levels of authentication, and I would like to do so using Active Directory.

From what I\'ve read

Answer 1

I found the documentation here to be really useful when I was writing my code to authenticate with my Kerberos server. Here's how I authenticate with my kerberos server, but you might need to tweak it for yours (hence me including the link):

public static final int REGISTRATION_TIMEOUT = 30 * 1000; // ms

private static DefaultHttpClient httpClient;

private static final AuthScope SERVER_AUTH_SCOPE =
    new AuthScope("urls to kerberos server", AuthScope.ANY_PORT);


public static DefaultHttpClient getHttpClient(){
    if(httpClient == null){
      httpClient = new DefaultHttpClient();
      final HttpParams params = httpClient.getParams();
      HttpConnectionParams.setConnectionTimeout(params, REGISTRATION_TIMEOUT);
      HttpConnectionParams.setSoTimeout(params, REGISTRATION_TIMEOUT);
      ConnManagerParams.setTimeout(params, REGISTRATION_TIMEOUT);
    }
    return httpClient;
  }

  public static boolean authenticate(String username, String password)
  {

    UsernamePasswordCredentials creds =
      new UsernamePasswordCredentials(username, password);
    DefaultHttpClient client = getHttpClient();
    client.getCredentialsProvider().setCredentials(SERVER_AUTH_SCOPE, creds);

    boolean authWorked = false;
    try{
      HttpGet get = new HttpGet(AUTH_URI);
      HttpResponse resp = client.execute(get);
      authWorked = resp.getStatusLine().getStatusCode() != 403
    }
    catch(IOException e){
      Log.e("TAG", "IOException exceptions");
      //TODO maybe do something?
    }
    return authWorked;
  }

Answer 2

Try this tutorial from Oracle. My code likes a charm. Hopefully everything is included in Android's VM distro.

Answer 3

For that you might be better off just staying completely within LDAP and don't venture into the kerberos. Kerberos gives you advantage of Single Sign On, but since your android app doesn't have any credentials already in place it doesn't really help you. I guess google had their own reasons not to include the javax.naming into the distro. It is pretty heavy stuff.

You might be able to either port the stuff yourself from java runtime library sources, or might be better off using native LDAP library. For example this one.

Just remember to use secure LDAP connection or at least secure authentication method. More info about this is here.

Answer 4

Have you looked at using JCIFS? Based on these questions [1] [2] and this site, JCIFS works under Android. The JCIFS site has a simple NTLM Authenticator example that could help get you started. However, based on this Samba list message, you will need to use LDAP and custom code to get the user's groups.