Java GSS-API and kerberos Service Tickets

Anuraggwl anuraggwl at
Tue Dec 9 17:06:50 EST 2008

Can someone please tell me what should be the correct behaviour of Java GSS
API if get the service token for Service Principal 1 ( SPN1) and on server
accept it using Service Principal 2( SPN2) where both service principal are
mapped to single user account in KDC( windows 2003).

I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single
user account. for example, if my user account is websvr then i run following
command setspn to set these SPN's to websvr account.

setSPN -A HTTP/SPN1 at MyRealm websvr
setSPN -A HTTP/SPN2 at MyRealm websvr

I have also mapped SPN1 as primary SPN using ktpass mapuser.

In my Java Client program, i request the service ticket for
HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have
following kerberos config file  { required isInitiator=false
  principal="HTTP/SPN1 at MyRealm" 

Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use
isInitiator flag to false to avoid contact with KDC for authentication.

Is this Principal Name is mandatory attribute here ?

Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the
authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos
config file.

I am seeing following behaviour.

1) Java GSS Server code is able to validate the service ticket ( for SPN2) 
and on server, we still have SPN1 in conf file. is this correct behaviour ?

It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ?

2) is it possible to accept kerberos ticket using some other GSSName. for
example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in
my server side code like below :

                GSSName sname =  mgr.createName("HTTP/SPN2 at myRealm, null);

                GSSCredential clientCreds =  mgr.createCredential(sname,

When i do that i get Error "Unable to get kerberos key in keytab." However,
i have both SPN1/SPN2 in keytab file.

Note that if in my server code, if i put GNAME as null then JAVa GSS API
gets GSSName from kerberos config file by reading principal.

View this message in context:
Sent from the Kerberos - General mailing list archive at

More information about the Kerberos mailing list