Problems with SSO authentication in windows XP sp2

Jeffrey Altman jaltman2 at
Wed Feb 16 16:40:54 EST 2005

If the Java application is requesting your username and password,
then it is not attempting to obtain Kerberos tickets from the Microsoft
LSA cache.  Instead it is obtaining tickets and storing them for you
in a file based cache.  Therefore, it does not matter if you lock and
unlock your desktop because the tickets obtained and stored in the file
cache by Java will still be there until it expires.

Miika Parvio wrote:

> Hello!
> I have managed to get to work SSO authentication between windows XP 
> (sp2) and windows server 2003. So when user is logged in to windows and 
> starts application, which I have made, authentication is done by 
> Krb5LoginModule. If TGT is found from the cache, authentication is 
> succesfull, otherwise Krb5LoginModule asks username and password of the 
> user. I'm using the latest JDK (1.5). Everything has been worked very 
> well,but today I noticed that SSO didn't worked after I had logged in. I 
> also noticed, that if I locked and unlocked my workstation SSO started 
> to work in my Java application. I repeated the following sequence many 
> times:
> 1. Log on to windows XP
> 2. Start my Java application and try single sign on
> 3. SSO failed (not TGT in cache)
> 4. Application asks username and password
> 5. Username and password authentication was succesfull
> 6. Lock workstation
> 7. Unlock workstation
> 8. Start my Java application and try single sign on
> 9. Authentication is succeeded
> 10. Log out MOVE TO step 1.
> It seems that after logon, the TGT isn't in the cache, but after lock 
> and unlock operations the TGT is in the cache.
> I think everything worked in the last week. I have checked, that 
> following registry key is set to value 0x01
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\allowTGTSessionKey 
> DES encrypting is turned on in my acount(JSSE and Krb5LoginModule 
> requires it)
> So what else? I have installed some security updates of windows during 
> this week. Can those updates broke the SSO functionality?
> Miika

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list