Java GSS-API and kerberos Service Tickets
Anuraggwl
anuraggwl at yahoo.com
Tue Dec 9 17:06:50 EST 2008
Can someone please tell me what should be the correct behaviour of Java GSS
API if get the service token for Service Principal 1 ( SPN1) and on server
accept it using Service Principal 2( SPN2) where both service principal are
mapped to single user account in KDC( windows 2003).
I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single
user account. for example, if my user account is websvr then i run following
command setspn to set these SPN's to websvr account.
setSPN -A HTTP/SPN1 at MyRealm websvr
setSPN -A HTTP/SPN2 at MyRealm websvr
I have also mapped SPN1 as primary SPN using ktpass mapuser.
In my Java Client program, i request the service ticket for
HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have
following kerberos config file
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required isInitiator=false
storeKey=true
doNotPrompt=true
useKeyTab=true
keyTab="c://websvrKeys.keytab"
principal="HTTP/SPN1 at MyRealm"
realm="MyRealm"
debug=true;
};
Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use
isInitiator flag to false to avoid contact with KDC for authentication.
Is this Principal Name is mandatory attribute here ?
Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the
authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos
config file.
I am seeing following behaviour.
1) Java GSS Server code is able to validate the service ticket ( for SPN2)
and on server, we still have SPN1 in conf file. is this correct behaviour ?
It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ?
2) is it possible to accept kerberos ticket using some other GSSName. for
example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in
my server side code like below :
GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, null);
GSSCredential clientCreds = mgr.createCredential(sname,
GSSCredential.DEFAULT_LIFETIME,
krb5Oid,
GSSCredential.ACCEPT_ONLY);
When i do that i get Error "Unable to get kerberos key in keytab." However,
i have both SPN1/SPN2 in keytab file.
Note that if in my server code, if i put GNAME as null then JAVa GSS API
gets GSSName from kerberos config file by reading principal.
--
View this message in context: http://www.nabble.com/Java-GSS-API-and-kerberos-Service-Tickets-tp20924707p20924707.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list