Java sample for SSO using JAAS on XP SP2

Seema Malkani Seema.Malkani at Sun.COM
Fri Mar 18 19:25:50 EST 2005


The callback handler is used to retrieve specific authentication data,
such as username and password. You don't need to implement a callback
handler to retrieve the native credentials.

The Java Kerberos Login Module does acquire the native credentials from
the native ticket cache, if they exist and are valid, provided you have
the appropriate configuration. However, if the credentials in the native
ticket cache do not exist for the requested identity, then you will be
prompted. You can check on the native credentials using Klist tool from
Windows.

Please check out the following:
1) JAAS Kerberos configuration file.
    Make sure you have set "useTicketCache=true" in the JAAS
configuration file.
2) Login user account
    Make sure you are logged to the Windows XP machine as your
"username" account, and not as the "test" account. The native
credentials on your Windows XP corresponds to the login user identity.

Seema

Bajpai, Atul wrote:

>Yes it seemed like that was the problem and I was able to get it to work
>for my own userid/pwd by upgrading to jdk1.4.2_04 as well as
>jdk1.4.2_05. Thanks again for your response. I still have the problem of
>getting prompted for userid and password. Do I have to write my own
>callback handler code that will retrieve my credentials without
>prompting me for them? If so is there a link you can direct me to where
>I can find such code?
>
>TIA,
>Atul Bajpai
>Development Infrastructure
>
>
>-----Original Message-----
>From: Seema Malkani [mailto:Seema.Malkani at sun.com] 
>Sent: Friday, March 18, 2005 4:27 PM
>To: Bajpai, Atul
>Cc: kerberos at mit.edu
>Subject: Re: Java sample for SSO using JAAS on XP SP2
>
>If the test account works correctly and you are not getting prompted,
>there is no problem with your registry setting for "allowtgtsessionkey".
>Java GSS/Kerberos acquired the native credentials on your Windows XP to
>achieve SSO.
>
>With your user account, it probably belongs to many AD groups, and hence
>the Kerberos ticket request is hitting the UDP packet size limit. Sun's
>implementation of Java GSS/Kerberos does provide support for automatic
>fallback to TCP, if the Kerberos ticket request using UDP fails and the
>KDC returns error code KRB_ERR_RESPONSE_TOO_BIG.
>
>Please use the latest J2SE 1.4.2_07.
>
>Seema
>
>Bajpai, Atul wrote:
>
>  
>
>>Seema,
>>Thanks for responding to my post. My registry is set up as suggested 
>>but I still have the same problem. I did move to jdk 1.4.2 from 
>>jdk1.4.1 based on some of your posts about the UDP/TCP problem but now 
>>I get "connection reset" message when I run my sample. I have the 
>>debug=true flag set in my .conf file and this is the output I get
>>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>    
>>
>+
>  
>
>>+++++++
>>Debug is  true storeKey false useTicketCache true useKeyTab false 
>>doNotPrompt fa lse ticketCache is null KeyTab is null refreshKrb5Config
>>    
>>
>
>  
>
>>is false principal is n ull tryFirstPass is false useFirstPass is false
>>    
>>
>
>  
>
>>storePass is false clearPass is false Principal is null null 
>>credentials from Ticket Cache Kerberos username [abajpai]:
>>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>    
>>
>+
>  
>
>>++++++++
>>
>>At this point if I use a test account name and password, everyhting 
>>goes well but if I use my own user name and password  I get a 
>>Connection reset message. Any ideas on what I should try next? Also how
>>    
>>
>
>  
>
>>do I force the app to Use my credentials and not prompt me for the 
>>username/pwd?
>>
>>TIA
>>Atul Bajpai
>>Development Infrastructure
>>
>>
>>-----Original Message-----
>>From: Seema Malkani [mailto:Seema.Malkani at sun.com]
>>Sent: Thursday, March 17, 2005 3:55 PM
>>To: Bajpai, Atul
>>Cc: kerberos at mit.edu
>>Subject: Re: Java sample for SSO using JAAS on XP SP2
>>
>>You can refer to Java GSS tutorials for sample code:
>>http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index
>>    
>>
>.
>  
>
>>html
>>
>>Please check if you have set the register key "allowtgtsessionkey" 
>>correctly.
>>Here is the location of the registry setting on Windows XP SP2:
>>
>>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
>>Value Name: allowtgtsessionkey
>>Value Type: REG_DWORD
>>Value: 0x01
>> 
>>
>>Seema
>>
>>Bajpai, Atul wrote:
>>
>> 
>>
>>    
>>
>>>Hi all,
>>>I am trying to find a SSO solution for Java apps. My requirements are 
>>>to retrieve and use the currently logged in users credentials to 
>>>authenticate against Windows AD. After browsing through the mailing 
>>>list archives I was able to find some JAAS sample code to do this but 
>>>I
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>am unable get the sample to behave that way. The sample app always 
>>>prompts for a username/password and never succeeds when I type in my 
>>>own username/pwd, I get a null[52] error. However when I use some of 
>>>the test id's that have been created they get authenticated. I also 
>>>found that XP SP2(which is what I have on my desktop) needs 
>>>"allowTGTSessionKey" in registry but that hasn't helped either. My 
>>>.conf file looks like this 
>>>"com.sun.security.auth.module.Krb5LoginModule
>>>required debug=true storeKey=true useTicketCache=true;". Appreciate 
>>>all
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>the help I can get on this. Thanks.
>>>
>>>Atul
>>>
>>>
>>>----------------------------------------------------------------------
>>>-
>>>-
>>>-------------------------
>>>-------------------------
>>>
>>>CONFIDENTIALITY AND SECURITY NOTICE
>>>
>>>This e-mail contains information that may be confidential and 
>>>proprietary. It is to be read and used solely by the intended 
>>>recipient(s).
>>>Citadel and its affiliates retain all proprietary rights they may have
>>>      
>>>
>
>  
>
>>>in the information. If you are not an intended recipient, please 
>>>notify
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>us immediately either by reply e-mail or by telephone at 312-395-2100 
>>>and delete this e-mail (including any attachments hereto) immediately 
>>>without reading, disseminating, distributing or copying. We cannot 
>>>give
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>any assurances that this e-mail and any attachments are free of 
>>>viruses
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>and other harmful code. Citadel reserves the right to monitor, 
>>>intercept and block all communications involving its computer systems.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>
>-------------------------------------------------------------------------------------------------
>-------------------------
>
>CONFIDENTIALITY AND SECURITY NOTICE
>
>This e-mail contains information that may be confidential and 
>proprietary. It is to be read and used solely by the intended recipient(s). 
>Citadel and its affiliates retain all proprietary rights they may have in the 
>information. If you are not an intended recipient, please notify us 
>immediately either by reply e-mail or by telephone at 312-395-2100 
>and delete this e-mail (including any attachments hereto) immediately 
>without reading, disseminating, distributing or copying. We cannot give 
>any assurances that this e-mail and any attachments are free of viruses 
>and other harmful code. Citadel reserves the right to monitor, intercept 
>and block all communications involving its computer systems.
>
>
>
>
>
>
>
>  
>



More information about the Kerberos mailing list