Java GSS-API and kerberos Service Tickets

Douglas E. Engert deengert at
Tue Dec 9 18:12:46 EST 2008

GSSName takes service at host, not principal.
GSSName does not take a realm. The realm is determined
internaly to the GSS.

So in your case the GSSname would be HTTP at SPN2

(Still don't know why you have to use a single AD account with
two SPNs, rather then two separate accounts.)

Anuraggwl wrote:
> Can someone please tell me what should be the correct behaviour of Java GSS
> API if get the service token for Service Principal 1 ( SPN1) and on server
> accept it using Service Principal 2( SPN2) where both service principal are
> mapped to single user account in KDC( windows 2003).
> I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single
> user account. for example, if my user account is websvr then i run following
> command setspn to set these SPN's to websvr account.
> setSPN -A HTTP/SPN1 at MyRealm websvr
> setSPN -A HTTP/SPN2 at MyRealm websvr
> I have also mapped SPN1 as primary SPN using ktpass mapuser.
> In my Java Client program, i request the service ticket for
> HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have
> following kerberos config file
>  {
> required isInitiator=false
>   storeKey=true 
>   doNotPrompt=true 
>   useKeyTab=true
>   keyTab="c://websvrKeys.keytab" 
>   principal="HTTP/SPN1 at MyRealm" 
>   realm="MyRealm"
>   debug=true;
> };
> Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use
> isInitiator flag to false to avoid contact with KDC for authentication.
> Is this Principal Name is mandatory attribute here ?
> Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the
> authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos
> config file.
> I am seeing following behaviour.
> 1) Java GSS Server code is able to validate the service ticket ( for SPN2) 
> and on server, we still have SPN1 in conf file. is this correct behaviour ?
> It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ?
> 2) is it possible to accept kerberos ticket using some other GSSName. for
> example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in
> my server side code like below :
>                 GSSName sname =  mgr.createName("HTTP/SPN2 at myRealm, null);
>                 GSSCredential clientCreds =  mgr.createCredential(sname,
>                                               krb5Oid,
>                                               GSSCredential.ACCEPT_ONLY);
> When i do that i get Error "Unable to get kerberos key in keytab." However,
> i have both SPN1/SPN2 in keytab file.
> Note that if in my server code, if i put GNAME as null then JAVa GSS API
> gets GSSName from kerberos config file by reading principal.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list