Using a Kerberized application outside the Kerberos Realm

Florian Frankenberger ffrankenberger at
Mon Aug 21 12:40:28 EDT 2006


I am using the Windows 2003 Domaincontroller and the included KDC. I want to implement single-sign-on with an application that is a server programmed in Java. Let's call it Alice. A client software, also programmed in Java, will connect to Alice. Let's call this client Bob. Now Alice is the service I have to add to the Domaincontroller in order to acquire service tickets later. Bob is the client, that should acquire a service ticket for Alice from the KDC and pass it on to Alice. I want Alice to ensure the service ticket's authenticity by decrypting it with the shared secret key that only Alice and the KDC possess. I already succeeded in obtaining a TGT from the KDC. My problem is that Alice is not in the domain in which the KDC is running. To be more precise, the KDC and the service Alice are set up in different network environments and thus do not know each other.
Is it possible to create a kerberized service that is not part of the Kerberos realm? If yes, what do I have to do?

I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.

Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

This is an extract of my code so far:

System.setProperty("", ((Element)tPropertiesCatalog.get("PROVIDER_REALM")).getAttributeValue("value"));
System.setProperty("", ((Element)tPropertiesCatalog.get("PROVIDER_URL")).getAttributeValue("value"));
System.setProperty("", "false");

// Performing Kerberos login
LoginContext tLoginContext = new LoginContext("JaasLogin");
final Subject tSubject = tLoginContext.getSubject();

Subject.doAs(tSubject, new PrivilegedExceptionAction()
  public Object run() throws Exception
    Principal tPrincipal = (Principal)tSubject.getPrincipals().iterator().next();
    KerberosTicket tTicket = (KerberosTicket) tSubject.getPrivateCredentials(KerberosTicket.class).iterator().next();

How can I get a service ticket now?

Thanks for any help in advance.

More information about the Kerberos mailing list