AW: Obtaining service ticket with JAVA JAAS

Olfmatic olfmatic at
Thu Aug 31 09:52:51 EDT 2006

All I get in the Subject is a Set of private credentials with the TGT at position 0. Nothing else is contained. Should the service ticket be another element of this Set? How do I recognize a service ticket? How does the KDC know, which service I need a ticket for?

-----Ursprungliche Nachricht-----
Von: Seema.Malkani at Sun.COM [mailto:Seema.Malkani at Sun.COM]
Gesendet: Montag, 21. August 2006 21:09
An: Olfmatic
Cc: kerberos at
Betreff: Re: Obtaining service ticket with JAVA JAAS

The Kerberos service ticket is obtained internally, and stored in the 
Subject's private credentials, after successful authentication.

At the client-end :

// Identify the name of the server.
GSSName serverName = manager.createName("nfs/", 

// Instantiate and initialize a security context that will be
// established with the server
GSSContext context = manager.createContext(serverName,

At the server-end :

// Acquire credentials for the server
GSSCredential serverCreds = manager.createCredential(serverName, 
// Instantiate and initialize a security context that will
// wait for an establishment request token from the client
GSSContext context = manager.createContext(serverCreds);

Please refer to Java GSS tutorials for details:


Olfmatic wrote On 08/21/06 10:00,:

>can anybody please send some lines of JAVA code in which a service ticket is acquired by the KDC? I tried it like this
>    	// Performing Kerberos login
>    	LoginContext tLoginContext = new LoginContext("JaasLogin");
>    	tLoginContext.login();
>    	final Subject tSubject = tLoginContext.getSubject();
>    	Subject.doAs(tSubject, new PrivilegedExceptionAction()
>			{
>				public Object run() throws Exception
>				{
>		    	Principal tPrincipal = (Principal)tSubject.getPrincipals().iterator().next();
>		    	KerberosTicket tTicket = (KerberosTicket) tSubject.getPrivateCredentials(
>							KerberosTicket.class).iterator().next();
>			GSSManager tGSSManager = GSSManager.getInstance();
>			Oid tKerberosOID = new Oid("1.2.840.113554.1.2.2");
>			GSSName tGSSName = tGSSManager.createName("myservice/ at MYREALM.DE", GSSName.NT_USER_NAME, tKerberosOID);
>			GSSCredential tServiceCredential = tGSSManager.createCredential(tGSSName, GSSCredential.INDEFINITE_LIFETIME, tKerberosOID, GSSCredential.INITIATE_AND_ACCEPT);
>				}
>			}
>but this doesn't work. For some reason, the principal's name in tGSSManager.createName() is still the one from my WIN2003-Login. I get a valid TGT from tLoginContext.login() but acquiring the service ticket fails. Is this the right approachment to this problem?
>This is my auth.conf:
>JaasLogin {
>    //Kerberos single-sign-on login module
> required debug=true useTicketCache=true ;
>other {
>    // jBoss LoginModule
>  required;
>    // Put your login modules that need jBoss here
>Thanks for any help in advance.
>Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list