Problems with SSO authentication in windows XP sp2

Seema Malkani Seema.Malkani at Sun.COM
Wed Feb 16 20:50:39 EST 2005 

If you are using native ticket cache, Java Krb5LoginModule will obtain
the native TGT from the ticket cache via LSA API. If you are using a
file-based ticket cache, Java Krb5LoginModule will obtain the TGT from
your file-based cache. However if the ticket obtained from the ticket
cache is no longer valid, Java Krb5LoginModule will prompt for
username/password.

Did you use kinit to obtain the TGT ? If you did, then Java
Krb5LoginModule will first fetch the ticket from the file-based ticket
cache if it exists. In your case probably the TGT in the file-based
ticket cache has expired. Check if you have a krb5cc_uid file in your
home directory on Windows. If you do, then I would suggest that you
remove this file. Now Java Krb5LoginModule will obtain the TGT from the
native ticket cache via LSA, and SSO should work now.

When prompted for username/password, the TGT obtained is not stored in
any file-based cache, it will be stored in the JAAS subject. If the TGT
already exists in the JAAS subject, it will be used for authentication.

Do you have a file-based ticket cache in your home dir ? Did you change
the Kerberos principal name used by your Java application ? Did you
log-in as a different user ?

Please send me further details on your usage.

Seema

Miika Parvio wrote:

>Hello!
>
>I have managed to get to work SSO authentication between windows XP 
>(sp2) and windows server 2003. So when user is logged in to windows and 
>starts application, which I have made, authentication is done by 
>Krb5LoginModule. If TGT is found from the cache, authentication is 
>succesfull, otherwise Krb5LoginModule asks username and password of the 
>user. I'm using the latest JDK (1.5). Everything has been worked very 
>well,but today I noticed that SSO didn't worked after I had logged in. I 
>also noticed, that if I locked and unlocked my workstation SSO started 
>to work in my Java application. I repeated the following sequence many 
>times:
>
>1. Log on to windows XP
>2. Start my Java application and try single sign on
>3. SSO failed (not TGT in cache)
>4. Application asks username and password
>5. Username and password authentication was succesfull
>6. Lock workstation
>7. Unlock workstation
>8. Start my Java application and try single sign on
>9. Authentication is succeeded
>10. Log out MOVE TO step 1.
>
>It seems that after logon, the TGT isn't in the cache, but after lock 
>and unlock operations the TGT is in the cache.
>
>I think everything worked in the last week. I have checked, that 
>following registry key is set to value 0x01
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\allowTGTSessionKey
>
>DES encrypting is turned on in my acount(JSSE and Krb5LoginModule 
>requires it)
>
>So what else? I have installed some security updates of windows during 
>this week. Can those updates broke the SSO functionality?
>
>Miika
>
>
>
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>

More information about the Kerberos mailing list