grabbing session key from GSS-API
David Tsai
dwtsai at MIT.EDU
Wed Aug 4 03:57:25 EDT 2004
Hi,
I'm working on kerberizing a few java (v1.4.2) classes and am building utilizing JAAS/GSS-API to help me authenticate against a kerberos server. If authentification is successful, I can get the ticket in a GSS wrapper by doing mySubject.getPrivateCredentials(), but I was wondering if there was a way to extract the ticket session key from the wrapper, hopefully in the form of a string or array. Somebody told me vaguely to try "RFC", but I'm not sure exactly what he meant and also how I would implement that into my Java project. It seems like there should be something within the GSS API that already lets me dig into and extract the session key from ticket wrapper, but I haven't been able to find it.
Any help would be greatly appreciated.
Thanks,
DaviddFrom news at ra.nrl.navy.mil Wed Aug 4 13:15:13 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i74HFCl1014508
for <kerberos at PCH.mit.edu>; Wed, 4 Aug 2004 13:15:12 -0400 (EDT)
Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121])
i74HFBG1004308
for <kerberos at MIT.EDU>; Wed, 4 Aug 2004 13:15:11 -0400 (EDT)
Received: (from news at localhost)
by ra.nrl.navy.mil (8.11.7p1+Sun/8.11.7) id i74H8jY14694
for kerberos at MIT.EDU; Wed, 4 Aug 2004 13:08:45 -0400 (EDT)
From: jaltman at columbia.edu (Jeffrey Altman)
X-Newsgroups: comp.protocols.kerberos
Date: 4 Aug 2004 10:08:43 -0700
Organization: http://groups.google.com
Message-ID: <a51eadcf.0408040908.6797c82e at posting.google.com>
References: <41103AFC.9030500 at cs.auckland.ac.nz>
To: kerberos at MIT.EDU
Subject: Re: leash32 2.6.4 issues
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Wed, 04 Aug 2004 17:15:13 -0000
matt at cs.auckland.ac.nz (Matthew Cocker) wrote in message news:<41103AFC.9030500 at cs.auckland.ac.nz>...
> Hi
>
> I am using Kerberos for Windows 2.6.4 and have some issues with it. The
> first is that when I use RDP to access a windows XP Pro box as a normal
> user the GUI is very slow unless I copy the conf files from c:\windows
> to the %userprofile%\windows directory for each user, then it seems
> happy. This is similar to how it works on server 2003 TS. Is this the
> intended behavior and this is how I should set it up.
You have installed KFW on your Terminal Server machine without
installing it from within the Add/Remove Programs Control Panel.
Therefore the proper registry entries have not been applied to allow
Leash to read the common KRB5.INI file from %WINDIR%.
> The other problem is with how leash32 interacts with the openafs
> autologon process. The openafs auto logon gets krb5 tickets via leash
> setup (I can see this via the krb5kdc.log) and stores them in
> API:principle at REALM. Now if I start the leash32 gui and change the krb5
> cache to this and refresh the gui I see I have tickets on some machines
> (well one) but on the other 3 PCs I have no tickets until I
> reauthenticate with the afslogon tools. As I don't get a consistent
> result on all the machines I am guessing a configuration error in
> leash32 some how.
Huh?
What is the relationship of the three other PCs to the one which is
running
Leash?
Leash supports one credential cache at a time. Afscreds supports
multiple credential caches at a time and will use the tickets from all
caches including the Leash default cache when it needs to renew
tokens.
More information about the Kerberos
mailing list