Problems with SSO authentication in windows XP sp2

Douglas E. Engert deengert at
Wed Feb 16 17:20:53 EST 2005

Just a thougth, with Windows, is your username in mixed case?
Windows treats the user part of the principal as case insensitive,
all other Kerberos treats it as case sensitive. This could mean
Java did not find the ticket.  Or As Jeff had said, it is
looking at the wrong cache.

If it worked last week, did you change your password an anything
else with your account, like change the case of the name?

Miika Parvio wrote:

> Hello!
> I have managed to get to work SSO authentication between windows XP 
> (sp2) and windows server 2003. So when user is logged in to windows and 
> starts application, which I have made, authentication is done by 
> Krb5LoginModule. If TGT is found from the cache, authentication is 
> succesfull, otherwise Krb5LoginModule asks username and password of the 
> user. I'm using the latest JDK (1.5). Everything has been worked very 
> well,but today I noticed that SSO didn't worked after I had logged in. I 
> also noticed, that if I locked and unlocked my workstation SSO started 
> to work in my Java application. I repeated the following sequence many 
> times:
> 1. Log on to windows XP
> 2. Start my Java application and try single sign on
> 3. SSO failed (not TGT in cache)
> 4. Application asks username and password
> 5. Username and password authentication was succesfull
> 6. Lock workstation
> 7. Unlock workstation
> 8. Start my Java application and try single sign on
> 9. Authentication is succeeded
> 10. Log out MOVE TO step 1.
> It seems that after logon, the TGT isn't in the cache, but after lock 
> and unlock operations the TGT is in the cache.
> I think everything worked in the last week. I have checked, that 
> following registry key is set to value 0x01
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\allowTGTSessionKey
> DES encrypting is turned on in my acount(JSSE and Krb5LoginModule 
> requires it)
> So what else? I have installed some security updates of windows during 
> this week. Can those updates broke the SSO functionality?
> Miika
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list