SSO: Is a credential needed on the server ?

Rouiller Claude claude.rouiller at
Fri Jun 11 08:27:30 EDT 2004


I've just implemented a SSO with a Microsoft KDC and my Java application
server (WLS 8.1). I've implemented a server-side security component (an
Authentication Provider, for those who know WLS) that authenticates the
users, using Kerberos and the GSS-API.

On the server, I have a keytab file, that I've created using Microsoft
ktpass (equivalent of MIT's kadmin). This keytab file contains the key for
the service principal.

As I'm not using mutual authentication (at the GSS level), I am wondering
whether the keytab file is really necessary on the server.
Does it contain a key that is necessary to check the tickets provided by the
users who attempt to become authenticated?


More information about the Kerberos mailing list