Do I need keytab for Authentication?

kaffekamelen johngjesse at
Wed Apr 8 09:38:33 EDT 2009

Hi all,

I have some problems by getting through to LDAP using jaas/kerberos/GSSAPI.
Kerberos login is successful, but when I try to create an InitialDirContext,
an "AuthenticationNotSupportedException: GSSAPI" is thrown. Funny thing is
that it only occurs when running a websphere+Microsoft AD setup (with ibm's
Krb5LoginModule) - when I use jboss with sun's Krb5LoginModule everything

So, there must be an issue regarding the difference in setup. Do any of you
know about known IBM problems in supporting kerberos and GSSAPI?

I am aware that ibm's Krb5LoginModule may be more restrictive than sun's. If
so, my implementation may be insufficient. Actually, I am running without
keytab file, and I'm wondering if that's a problem.

My implementation consist of a single java ear file deployed on websphere
app server:

1. The only Websphere configuration is that I have added a "MyLoginModule"
entry to (MyLoginModule entry points out Don't really know why it
should be - I don't have any webservice involved... Is
there a point here?
2. My application accepts username and password i a user dialog.
3. My application sets System properties:<myInstDir>/admin/var/jaas/krb5.conf and<myInstDir>/admin/var/jaas/step-jaas.conf
4. My application creates a LoginContext 8new LoginContext("MyLoginModule",
MyCallbackhandler) - The CallbackHandler provides username and password to
the LoginModule on request. This is why I don't think I need a keytab file
copied to the websphere server...
5. Start a thread using Subject.doAs(loginContext.getSubject(),
6. The worker thread sets environment
7. The worker thread creates new InitialDirContext(env) - and this is where
the "AuthenticationNotSupportedException: GSSAPI" is thrown.

Again - there is no AuthenticationNotSupportedException when using
jboss+sun's Krb5LoginModule, so it seems that I CAN do without a keytab
file. Anyway, the problem here is that websphere is my main target

I hope some of you can give me some advice, because I'm totally stuck in
this case.
View this message in context:
Sent from the Kerberos - Dev mailing list archive at

More information about the krbdev mailing list