SSO: Is a credential needed on the server ?

Douglas E. Engert deengert at
Fri Jun 11 10:12:25 EDT 2004

Rouiller Claude wrote:

> Hi
> I've just implemented a SSO with a Microsoft KDC and my Java application
> server (WLS 8.1). I've implemented a server-side security component (an
> Authentication Provider, for those who know WLS) that authenticates the
> users, using Kerberos and the GSS-API.
> On the server, I have a keytab file, that I've created using Microsoft
> ktpass (equivalent of MIT's kadmin). This keytab file contains the key for
> the service principal.
> As I'm not using mutual authentication (at the GSS level), I am wondering
> whether the keytab file is really necessary on the server.
> Does it contain a key that is necessary to check the tickets provided by the
> users who attempt to become authenticated?

Yes it is. The user obtains a server ticket fron the KDC. Parts of this ticket
are encrypted in the key of the server that is in the keytab file. The server must
decrypt parts of the ticket to verify thet user, and to get the session key to be used

> Thanks,
> Claude
> ________________________________________________
> Kerberos mailing list           Kerberos at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

More information about the Kerberos mailing list