All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added the kerberos_grant JAR


Follow the instructions below to configure Kerberos Grant with WSO2 API Manager:


Now API Manager comes with Download the kerberos_grant_1.0.0_1.0.0.jar. Therefore you do not need to add this kerberos grant jar manually from here. Copy it to the <API-M_HOME>/repository/components/lib folder.

  1. Add following entry under <SupportedGrantTypes> in the <API-M_HOME>/repository/conf/identity/identity.xml file.

    Code Block
  2. Create a file named jaas.conf in the <API-M_HOME>/repository/conf/identity directory with the following content.

    Code Block
    Server { required
    }; Client { required
  3. Copy the following JARs into the <API-M_HOME>/repository/components/dropins directory.
  4. Configure OAuth2 for your client application with the Kerberos grant type.

    1. Start the WSO2 API-M server by navigating to the <API-M_HOME>/bin directory in your console and running one of the following scripts based on your OS.

      • On Windows: wso2server.bat --run

      • On Linux/Mac OS: sh

    2. Sign into the API Store.

    3. Click Applications and click on the name of the application that you want to configure the OAuth2 with the Kerberos grant type.

    4. Generate the Production Keys.

      1. Click Production Keys.

      2. Click on the Kerberos checkbox as shown in the screenshot. 

      3. Click Generate Keys to generate the keys.
    5. Generate the Sandbox Keys.

      1. Click Sandbox Keys.

      2. Click on the Kerberos checkbox.

      3. Click Generate Keys to generate the keys.

  5. Configure the Service Principal Name (SPNName) and Service Principal Password (SPNPassword)


    service principal name  ( SPN ) is a unique identifier of a  service  instance. SPNs are used by Kerberos authentication to associate a  service  instance with a  service logon account. This allows a client application to request that the  service authenticate an account even if the client does not have the account  name .

    1. Sign in to the WSO2 API-M Management Console.

    2. Navigate to the Main menu, click Add under the Identity Provider menu.

    3. Add a new Identity Provider (IDP).


      The IDP name should be the name of the realm. Based on this example, it should be An identity provider is needed here to manage the KDC Service. It provides access to an identity stored in a  Kerberos  authentication server.

      • Identity Provider Name:

      • Aliashttps://
      • Server Principal Name: HTTP/

      Adding an IDP in WSO2 API Manager

  6. Invoke the token endpoint using the message format discussed in step 3.


    Note that for users to be counted in the Registered Users for Application statistics which takes the number of users shared each of the Application, they should have to generate access tokens using Password Grant type.