Java sample for SSO using JAAS on XP SP2
Bajpai, Atul
Atul.Bajpai at citadelgroup.com
Fri Mar 18 17:39:42 EST 2005
Yes it seemed like that was the problem and I was able to get it to work
for my own userid/pwd by upgrading to jdk1.4.2_04 as well as
jdk1.4.2_05. Thanks again for your response. I still have the problem of
getting prompted for userid and password. Do I have to write my own
callback handler code that will retrieve my credentials without
prompting me for them? If so is there a link you can direct me to where
I can find such code?
TIA,
Atul Bajpai
Development Infrastructure
-----Original Message-----
From: Seema Malkani [mailto:Seema.Malkani at sun.com]
Sent: Friday, March 18, 2005 4:27 PM
To: Bajpai, Atul
Cc: kerberos at mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2
If the test account works correctly and you are not getting prompted,
there is no problem with your registry setting for "allowtgtsessionkey".
Java GSS/Kerberos acquired the native credentials on your Windows XP to
achieve SSO.
With your user account, it probably belongs to many AD groups, and hence
the Kerberos ticket request is hitting the UDP packet size limit. Sun's
implementation of Java GSS/Kerberos does provide support for automatic
fallback to TCP, if the Kerberos ticket request using UDP fails and the
KDC returns error code KRB_ERR_RESPONSE_TOO_BIG.
Please use the latest J2SE 1.4.2_07.
Seema
Bajpai, Atul wrote:
>Seema,
>Thanks for responding to my post. My registry is set up as suggested
>but I still have the same problem. I did move to jdk 1.4.2 from
>jdk1.4.1 based on some of your posts about the UDP/TCP problem but now
>I get "connection reset" message when I run my sample. I have the
>debug=true flag set in my .conf file and this is the output I get
>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
>+++++++
>Debug is true storeKey false useTicketCache true useKeyTab false
>doNotPrompt fa lse ticketCache is null KeyTab is null refreshKrb5Config
>is false principal is n ull tryFirstPass is false useFirstPass is false
>storePass is false clearPass is false Principal is null null
>credentials from Ticket Cache Kerberos username [abajpai]:
>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
>++++++++
>
>At this point if I use a test account name and password, everyhting
>goes well but if I use my own user name and password I get a
>Connection reset message. Any ideas on what I should try next? Also how
>do I force the app to Use my credentials and not prompt me for the
>username/pwd?
>
>TIA
>Atul Bajpai
>Development Infrastructure
>
>
>-----Original Message-----
>From: Seema Malkani [mailto:Seema.Malkani at sun.com]
>Sent: Thursday, March 17, 2005 3:55 PM
>To: Bajpai, Atul
>Cc: kerberos at mit.edu
>Subject: Re: Java sample for SSO using JAAS on XP SP2
>
>You can refer to Java GSS tutorials for sample code:
>http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index
.
>html
>
>Please check if you have set the register key "allowtgtsessionkey"
>correctly.
>Here is the location of the registry setting on Windows XP SP2:
>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
>Value Name: allowtgtsessionkey
>Value Type: REG_DWORD
>Value: 0x01
>
>
>Seema
>
>Bajpai, Atul wrote:
>
>
>
>>Hi all,
>>I am trying to find a SSO solution for Java apps. My requirements are
>>to retrieve and use the currently logged in users credentials to
>>authenticate against Windows AD. After browsing through the mailing
>>list archives I was able to find some JAAS sample code to do this but
>>I
>>
>>
>
>
>
>>am unable get the sample to behave that way. The sample app always
>>prompts for a username/password and never succeeds when I type in my
>>own username/pwd, I get a null[52] error. However when I use some of
>>the test id's that have been created they get authenticated. I also
>>found that XP SP2(which is what I have on my desktop) needs
>>"allowTGTSessionKey" in registry but that hasn't helped either. My
>>.conf file looks like this
>>"com.sun.security.auth.module.Krb5LoginModule
>>required debug=true storeKey=true useTicketCache=true;". Appreciate
>>all
>>
>>
>
>
>
>>the help I can get on this. Thanks.
>>
>>Atul
>>
>>
>>----------------------------------------------------------------------
>>-
>>-
>>-------------------------
>>-------------------------
>>
>>CONFIDENTIALITY AND SECURITY NOTICE
>>
>>This e-mail contains information that may be confidential and
>>proprietary. It is to be read and used solely by the intended
>>recipient(s).
>>Citadel and its affiliates retain all proprietary rights they may have
>>in the information. If you are not an intended recipient, please
>>notify
>>
>>
>
>
>
>>us immediately either by reply e-mail or by telephone at 312-395-2100
>>and delete this e-mail (including any attachments hereto) immediately
>>without reading, disseminating, distributing or copying. We cannot
>>give
>>
>>
>
>
>
>>any assurances that this e-mail and any attachments are free of
>>viruses
>>
>>
>
>
>
>>and other harmful code. Citadel reserves the right to monitor,
>>intercept and block all communications involving its computer systems.
>>
>>
>>
>>
>>
>>
>>
>>
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>>
>
>
>
>
-------------------------------------------------------------------------------------------------
-------------------------
CONFIDENTIALITY AND SECURITY NOTICE
This e-mail contains information that may be confidential and
proprietary. It is to be read and used solely by the intended recipient(s).
Citadel and its affiliates retain all proprietary rights they may have in the
information. If you are not an intended recipient, please notify us
immediately either by reply e-mail or by telephone at 312-395-2100
and delete this e-mail (including any attachments hereto) immediately
without reading, disseminating, distributing or copying. We cannot give
any assurances that this e-mail and any attachments are free of viruses
and other harmful code. Citadel reserves the right to monitor, intercept
and block all communications involving its computer systems.
More information about the Kerberos
mailing list