Do I need keytab for Authentication?
johngjesse at hotmail.com
Wed Apr 8 09:38:33 EDT 2009
I have some problems by getting through to LDAP using jaas/kerberos/GSSAPI.
Kerberos login is successful, but when I try to create an InitialDirContext,
an "AuthenticationNotSupportedException: GSSAPI" is thrown. Funny thing is
that it only occurs when running a websphere+Microsoft AD setup (with ibm's
Krb5LoginModule) - when I use jboss with sun's Krb5LoginModule everything
So, there must be an issue regarding the difference in setup. Do any of you
know about known IBM problems in supporting kerberos and GSSAPI?
I am aware that ibm's Krb5LoginModule may be more restrictive than sun's. If
so, my implementation may be insufficient. Actually, I am running without
keytab file, and I'm wondering if that's a problem.
My implementation consist of a single java ear file deployed on websphere
1. The only Websphere configuration is that I have added a "MyLoginModule"
entry to wsjaas.properties (MyLoginModule entry points out
com.ibm.security.auth.module.Krb5LoginModule). Don't really know why it
should be wsjaas.properties - I don't have any webservice involved... Is
there a point here?
2. My application accepts username and password i a user dialog.
3. My application sets System properties:
4. My application creates a LoginContext 8new LoginContext("MyLoginModule",
MyCallbackhandler) - The CallbackHandler provides username and password to
the LoginModule on request. This is why I don't think I need a keytab file
copied to the websphere server...
5. Start a thread using Subject.doAs(loginContext.getSubject(),
6. The worker thread sets environment
7. The worker thread creates new InitialDirContext(env) - and this is where
the "AuthenticationNotSupportedException: GSSAPI" is thrown.
Again - there is no AuthenticationNotSupportedException when using
jboss+sun's Krb5LoginModule, so it seems that I CAN do without a keytab
file. Anyway, the problem here is that websphere is my main target
I hope some of you can give me some advice, because I'm totally stuck in
View this message in context: http://www.nabble.com/Do-I-need-keytab-for-Authentication--tp22950643p22950643.html
Sent from the Kerberos - Dev mailing list archive at Nabble.com.
More information about the krbdev