Subject: Re: Acquiring credentials for a Principal in Java on XP client

David Shambroom wds at intersystems.com
Thu Feb 24 18:15:51 EST 2005


Unfortunately, use of "useTicketCache=true" was broken by Windows 2000 SP4 and 
Windows XP SP2.  Sun has the following suggestion in:
file:///C:/Program%20Files/Java/jdk1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

===BEGIN QUOTE===
Cause 2: This exception is thrown when using native ticket cache on some Windows 
platforms. Microsoft has added a new feature in which they no longer export the 
session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT 
obtained on Windows has an "empty" session key and null EType. The effected 
platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) 
and Windows XP SP2.

Solution 2: You need to update the Windows registry to disable this new feature. 
The registry key allowtgtsessionkey should be added--and set correctly--to allow 
session keys to be sent in the Kerberos Ticket-Granting Ticket.

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry 
setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01  ( default is 0 )

By default, the value is 0; setting it to "0x01" allows a session key to be 
included in the TGT.

Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
===END QUOTE===

The suggested registry addition works for W2K, but not the one for XP (at least 
not for me).  Has anyone successfully tested this on XP, or is there something 
else that needs to be done?

--Dave

kerberos-request at mit.edu wrote:
> Date: Tue, 22 Feb 2005 10:10:15 -0800
> From: Seema Malkani <Seema.Malkani at Sun.COM>
> To: "Wells, Bruce" <Bruce.Wells at citadelgroup.com>
> Cc: bewskeet at mac.com
> Cc: Kerberos MIT <kerberos at mit.edu>
> Subject: Re: Acquiring credentials for a Principal in Java on XP client
> Message-ID: <421B7587.7030604 at sun.com>
> In-Reply-To: 
>  <97004BEBD94CFE46B9873DEA9D572985086E3067 at CIGEMAIL.chi.citadelgroup.com>
> References: 
>  <97004BEBD94CFE46B9873DEA9D572985086E3067 at CIGEMAIL.chi.citadelgroup.com>
> Content-Type: text/plain; charset=ISO-8859-15
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7BIT
> Precedence: list
> Message: 1
> 
> Java Kerberos can be configured to acquire the native credentials. JAAS
> Krb5LoginModule will acquire native TGT on Windows via the LSA API if
> the option "useTicketCache=true" has been set.
> 
> For details on how to achieve Single Sign-On using Java Kerberos refer to:
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/single-signon.html
> 
> In addition, you can refer to following JavaOne Security Lab.
> 7133 - Advanced Security Programming in the J2SE Platform, Version 1.5:
>            Authentication, Secure Communication, and Single Sign-on
> 
> Seema
> 
> In addition, you can refer to
> 
> Wells, Bruce wrote:
> 
> 
>>Hello to all,
>>How can I go about acquiring the credentials for the current logged on
>>user
>>on an XP client in Java. I need to establish a context between the Java
>>app
>>and a kerberized service via GSS
>>
>>TIA,
>>Bruce.


More information about the Kerberos mailing list