Delegation w/ Java

Seema Malkani Seema.Malkani at Sun.COM
Tue Sep 5 14:50:52 EDT 2006 

Support for RC4-HMAC is available starting from J2SE 5.0 Update 7. 
However your account is setup for "DES" only. The native TGT in the 
ticket cache has EType of DES. Ensure the Kerberos configuration is 
setup to define the enctypes as per the Active Directory account settings.

To use RC4-HMAC Kerberos encryption type:

1) Upgrade to J2SE 5.0 Update 7 or later.

2) Ensure Kerberos account is setup for RC4-HMAC encryption type. Make sure
you have NOT selected "use DES" in the AD account settings, RC4-HMAC is 
the default enctype on Windows. Reset the password used.

3) Update Kerberos configuration file to include following:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

Seema

Michael B Allen wrote On 09/01/06 09:37,:

>I'm trying to get delegation to work from a Java servlet running on a
>Windows IIS machine but Credential.acquireTGTFromCache() is returning
>'null'. Is this because Java 1.5 doesn't support RC4-HMAC? I cannot
>require all regular user accounts to be set for "DES only". Is there
>anything I can do?
>
>The following code (plus a regeit allowtgtsessionkey=1) illustrates the
>problem:
>
>System.setProperty("os.name", "windows 2000");
>Credentials c = Credentials.acquireDefaultCreds();
>System.out.println(c);
>System.out.println("aquireTGT***");
>Credentials x = Credentials.acquireTGTFromCache(c.getServer(), null);
>System.out.println(x);
>
>This prints:
>
>C:\tmp>java AcquireTGT
>Credentials:
>client=alice at EXAMPLE.COM
>server=krbtgt/AD.EXAMPLE.COM at EXAMPLE.COM
>authTime=20060901202921Z
>startTime=20060901202921Z
>endTime=20060902012024Z
>renewTill=20060908152024Z
>flags: FORWARDABLE;RENEWABLE;PRE-AUTHENT
>EType (int): 3
>aquireTGT***
>null
>
>So the TGT is 'null'.
>
>If I use Java's kinit it works (at least on Linux it did last night, right
>now I'm on Windows on site).
>
>Can someone recommend a path of low resistance?
>
>Do I want to try IBM's JGSS?
>
>Mike
>
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>

More information about the Kerberos mailing list