Subject: Re: Acquiring credentials for a Principal in Java onXP client

Seema Malkani Seema.Malkani at Sun.COM
Mon Feb 28 15:02:46 EST 2005


Microsoft has restricted the interface to retrieve
ticket-granting-ticket/session key pairs from the Kerberos security
package. This feature affects all programs that use LSA API to obtain
the native TGT on Windows.

MIT has the same suggestion. Check out the MIT Kerberos release notes
for Windows. You will find the notes on "AllowTGTSessionKey" registry key.
http://web.mit.edu/kerberos/www/kfw-2.6/kfw-2.6.5/relnotes.html

Seema

David Shambroom wrote:

>Unfortunately, use of "useTicketCache=true" was broken by Windows 2000 SP4 and 
>Windows XP SP2.  Sun has the following suggestion in:
>file:///C:/Program%20Files/Java/jdk1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
>
>===BEGIN QUOTE===
>Cause 2: This exception is thrown when using native ticket cache on some Windows 
>platforms. Microsoft has added a new feature in which they no longer export the 
>session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT 
>obtained on Windows has an "empty" session key and null EType. The effected 
>platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) 
>and Windows XP SP2.
>
>Solution 2: You need to update the Windows registry to disable this new feature. 
>The registry key allowtgtsessionkey should be added--and set correctly--to allow 
>session keys to be sent in the Kerberos Ticket-Granting Ticket.
>
>On the Windows Server 2003 and Windows 2000 SP4, here is the required registry 
>setting:
>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>Value Name: allowtgtsessionkey
>Value Type: REG_DWORD
>Value: 0x01  ( default is 0 )
>
>By default, the value is 0; setting it to "0x01" allows a session key to be 
>included in the TGT.
>
>Here is the location of the registry setting on Windows XP SP2:
>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
>Value Name: allowtgtsessionkey
>Value Type: REG_DWORD
>Value: 0x01
>===END QUOTE===
>
>The suggested registry addition works for W2K, but not the one for XP (at least 
>not for me).  Has anyone successfully tested this on XP, or is there something 
>else that needs to be done?
>
>--Dave
>
>kerberos-request at mit.edu wrote:
>  
>
>>Date: Tue, 22 Feb 2005 10:10:15 -0800
>>From: Seema Malkani <Seema.Malkani at Sun.COM>
>>To: "Wells, Bruce" <Bruce.Wells at citadelgroup.com>
>>Cc: bewskeet at mac.com
>>Cc: Kerberos MIT <kerberos at mit.edu>
>>Subject: Re: Acquiring credentials for a Principal in Java on XP client
>>Message-ID: <421B7587.7030604 at sun.com>
>>In-Reply-To: 
>> <97004BEBD94CFE46B9873DEA9D572985086E3067 at CIGEMAIL.chi.citadelgroup.com>
>>References: 
>> <97004BEBD94CFE46B9873DEA9D572985086E3067 at CIGEMAIL.chi.citadelgroup.com>
>>Content-Type: text/plain; charset=ISO-8859-15
>>MIME-Version: 1.0
>>Content-Transfer-Encoding: 7BIT
>>Precedence: list
>>Message: 1
>>
>>Java Kerberos can be configured to acquire the native credentials. JAAS
>>Krb5LoginModule will acquire native TGT on Windows via the LSA API if
>>the option "useTicketCache=true" has been set.
>>
>>For details on how to achieve Single Sign-On using Java Kerberos refer to:
>>http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/single-signon.html
>>
>>In addition, you can refer to following JavaOne Security Lab.
>>7133 - Advanced Security Programming in the J2SE Platform, Version 1.5:
>>           Authentication, Secure Communication, and Single Sign-on
>>
>>Seema
>>
>>In addition, you can refer to
>>
>>Wells, Bruce wrote:
>>
>>
>>    
>>
>>>Hello to all,
>>>How can I go about acquiring the credentials for the current logged on
>>>user
>>>on an XP client in Java. I need to establish a context between the Java
>>>app
>>>and a kerberized service via GSS
>>>
>>>TIA,
>>>Bruce.
>>>      
>>>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>



More information about the Kerberos mailing list