Java sample for SSO using JAAS on XP SP2

Seema Malkani Seema.Malkani at Sun.COM
Fri Mar 18 17:27:00 EST 2005 

If the test account works correctly and you are not getting prompted, there is no problem with your registry setting for "allowtgtsessionkey". Java GSS/Kerberos acquired the native credentials on your Windows XP to achieve SSO.

With your user account, it probably belongs to many AD groups, and hence the Kerberos ticket request is hitting the UDP packet size limit. Sun's implementation of Java GSS/Kerberos does provide support for automatic fallback to TCP, if the Kerberos ticket request using UDP fails and the KDC returns error code KRB_ERR_RESPONSE_TOO_BIG.

Please use the latest J2SE 1.4.2_07.

Seema

Bajpai, Atul wrote:

>Seema,
>Thanks for responding to my post. My registry is set up as suggested but
>I still have the same problem. I did move to jdk 1.4.2 from jdk1.4.1
>based on some of your posts about the UDP/TCP problem but now I get
>"connection reset" message when I run my sample. I have the debug=true
>flag set in my .conf file and this is the output I get
>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>+++++++
>Debug is  true storeKey false useTicketCache true useKeyTab false
>doNotPrompt fa
>lse ticketCache is null KeyTab is null refreshKrb5Config is false
>principal is n
>ull tryFirstPass is false useFirstPass is false storePass is false
>clearPass is
>false
>Principal is null
>null credentials from Ticket Cache
>Kerberos username [abajpai]:
>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>++++++++
>
>At this point if I use a test account name and password, everyhting goes
>well but if I use my own user name and password  I get a Connection
>reset message. Any ideas on what I should try next? Also how do I force
>the app to 
>Use my credentials and not prompt me for the username/pwd?
>
>TIA
>Atul Bajpai
>Development Infrastructure
>
>
>-----Original Message-----
>From: Seema Malkani [mailto:Seema.Malkani at sun.com] 
>Sent: Thursday, March 17, 2005 3:55 PM
>To: Bajpai, Atul
>Cc: kerberos at mit.edu
>Subject: Re: Java sample for SSO using JAAS on XP SP2
>
>You can refer to Java GSS tutorials for sample code:
>http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.
>html
>
>Please check if you have set the register key "allowtgtsessionkey" 
>correctly.
>Here is the location of the registry setting on Windows XP SP2:
>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
>Value Name: allowtgtsessionkey
>Value Type: REG_DWORD
>Value: 0x01
>  
>
>Seema
>
>Bajpai, Atul wrote:
>
>  
>
>>Hi all,
>>I am trying to find a SSO solution for Java apps. My requirements are 
>>to retrieve and use the currently logged in users credentials to 
>>authenticate against Windows AD. After browsing through the mailing 
>>list archives I was able to find some JAAS sample code to do this but I
>>    
>>
>
>  
>
>>am unable get the sample to behave that way. The sample app always 
>>prompts for a username/password and never succeeds when I type in my 
>>own username/pwd, I get a null[52] error. However when I use some of 
>>the test id's that have been created they get authenticated. I also 
>>found that XP SP2(which is what I have on my desktop) needs 
>>"allowTGTSessionKey" in registry but that hasn't helped either. My 
>>.conf file looks like this 
>>"com.sun.security.auth.module.Krb5LoginModule
>>required debug=true storeKey=true useTicketCache=true;". Appreciate all
>>    
>>
>
>  
>
>>the help I can get on this. Thanks.
>>
>>Atul
>>
>>
>>-----------------------------------------------------------------------
>>-
>>-------------------------
>>-------------------------
>>
>>CONFIDENTIALITY AND SECURITY NOTICE
>>
>>This e-mail contains information that may be confidential and 
>>proprietary. It is to be read and used solely by the intended 
>>recipient(s).
>>Citadel and its affiliates retain all proprietary rights they may have 
>>in the information. If you are not an intended recipient, please notify
>>    
>>
>
>  
>
>>us immediately either by reply e-mail or by telephone at 312-395-2100 
>>and delete this e-mail (including any attachments hereto) immediately 
>>without reading, disseminating, distributing or copying. We cannot give
>>    
>>
>
>  
>
>>any assurances that this e-mail and any attachments are free of viruses
>>    
>>
>
>  
>
>>and other harmful code. Citadel reserves the right to monitor, 
>>intercept and block all communications involving its computer systems.
>>
>>
>>
>>
>>
>>
>>
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>> 
>>
>>    
>>
>
>
>  
>

More information about the Kerberos mailing list