SSO: Is a credential needed on the server ?
Douglas E. Engert
deengert at anl.gov
Fri Jun 11 10:12:25 EDT 2004
Rouiller Claude wrote:
> I've just implemented a SSO with a Microsoft KDC and my Java application
> server (WLS 8.1). I've implemented a server-side security component (an
> Authentication Provider, for those who know WLS) that authenticates the
> users, using Kerberos and the GSS-API.
> On the server, I have a keytab file, that I've created using Microsoft
> ktpass (equivalent of MIT's kadmin). This keytab file contains the key for
> the service principal.
> As I'm not using mutual authentication (at the GSS level), I am wondering
> whether the keytab file is really necessary on the server.
> Does it contain a key that is necessary to check the tickets provided by the
> users who attempt to become authenticated?
Yes it is. The user obtains a server ticket fron the KDC. Parts of this ticket
are encrypted in the key of the server that is in the keytab file. The server must
decrypt parts of the ticket to verify thet user, and to get the session key to be used
> Kerberos mailing list Kerberos at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos