Accepting secure context on Server without KDC-Login

Olfmatic olfmatic at web.de
Thu Sep 7 08:41:41 EDT 2006 

Hello,

Please help me, I still don't get it:
I want to accept a secure context on my server. As far as I learned, the server does not have to contact the KDC to do so, because the shared secret is stored in a keytab file created on the KDC and then stored at the server. But I made a different experience.

This is my code:

	Oid tKrb5Oid = new Oid("1.2.840.113554.1.2.2");
	GSSManager tGSSManager = GSSManager.getInstance();
	String tPrincName = "servicename/hostname at REALM";
	GSSName tServerName = tGSSManager.createName(tPrincName, GSSName.NT_USER_NAME);
	GSSCredential tServerCredential = tGSSManager.createCredential(tServerName,
		GSSCredential.INDEFINITE_LIFETIME, new Krb5MechFactory().getMechanismOid(),
		GSSCredential.ACCEPT_ONLY);
	GSSContext tSecureContext = tGSSManager.createContext(tServerName, tKrb5Oid, tServerCredential, GSSContext.DEFAULT_LIFETIME);
	byte [] tInToken = aToken;
	byte [] tOutToken = tSecureContext.acceptSecContext(tInToken, 0, tInToken.length);

If I execute this code in a PrivilegedAction after loggin in to the KDC with the Krb5LoginModule, everything is fine. Now what I want is the server to accept the secure context WITHOUT trying to contact the KDC. Do I have to login with the Krb5LoginModule even though? Or can the above code also be executed without prior KDC-Login?
But then how do I tell the server application where to find the keytab file? As far as I know, the keytab file is configured in the configuration of LoginModules:

JaasLogin {
    //Kerberos single-sign-on login module
    com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true keyTab=C:/krb5.keytab ;
};
 

But if i never call

    	LoginContext tLoginContext = new LoginContext("JaasLogin");
    	tLoginContext.login();
    	final Subject tSubject = tLoginContext.getSubject();

then how can the application know that it shall use a keytab and where to find it?

IF I login with the Krb5LoginModule, the server looks for the KDC which is not what I want.
IF I do not login with the Krb5LoginModule, I get the error message "Attempt to obtain new ACCEPT credentials failed", which seems clear to me because the server application doesn't know anything about the keytab file.
What do I have to do? Login or no Login?

Thanks for any help.

Florian

More information about the Kerberos mailing list