Java GSS-API and kerberos Service Tickets
Douglas E. Engert
deengert at anl.gov
Tue Dec 9 18:12:46 EST 2008
GSSName takes service at host, not principal.
GSSName does not take a realm. The realm is determined
internaly to the GSS.
So in your case the GSSname would be HTTP at SPN2
(Still don't know why you have to use a single AD account with
two SPNs, rather then two separate accounts.)
Anuraggwl wrote:
> Can someone please tell me what should be the correct behaviour of Java GSS
> API if get the service token for Service Principal 1 ( SPN1) and on server
> accept it using Service Principal 2( SPN2) where both service principal are
> mapped to single user account in KDC( windows 2003).
>
> I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single
> user account. for example, if my user account is websvr then i run following
> command setspn to set these SPN's to websvr account.
>
> setSPN -A HTTP/SPN1 at MyRealm websvr
> setSPN -A HTTP/SPN2 at MyRealm websvr
>
> I have also mapped SPN1 as primary SPN using ktpass mapuser.
>
> In my Java Client program, i request the service ticket for
> HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have
> following kerberos config file
>
> com.sun.security.jgss.accept {
> com.sun.security.auth.module.Krb5LoginModule required isInitiator=false
> storeKey=true
> doNotPrompt=true
> useKeyTab=true
> keyTab="c://websvrKeys.keytab"
> principal="HTTP/SPN1 at MyRealm"
> realm="MyRealm"
> debug=true;
> };
>
> Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use
> isInitiator flag to false to avoid contact with KDC for authentication.
>
> Is this Principal Name is mandatory attribute here ?
>
> Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the
> authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos
> config file.
>
> I am seeing following behaviour.
>
> 1) Java GSS Server code is able to validate the service ticket ( for SPN2)
> and on server, we still have SPN1 in conf file. is this correct behaviour ?
>
> It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ?
>
> 2) is it possible to accept kerberos ticket using some other GSSName. for
> example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in
> my server side code like below :
>
> GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, null);
>
> GSSCredential clientCreds = mgr.createCredential(sname,
>
> GSSCredential.DEFAULT_LIFETIME,
> krb5Oid,
> GSSCredential.ACCEPT_ONLY);
>
> When i do that i get Error "Unable to get kerberos key in keytab." However,
> i have both SPN1/SPN2 in keytab file.
>
> Note that if in my server code, if i put GNAME as null then JAVa GSS API
> gets GSSName from kerberos config file by reading principal.
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list