Error calling function protocol status: 1312
jaltman at secure-endpoints.com
Wed Oct 14 10:38:07 EDT 2009
Santiago Rivas wrote:
> Well, I do specify "useTicketCache=true" in the JAAS config file, but there
> is something I must be missing, cause I cannot get it working with cached
> tickets. In fact, I must provide username and password in the config file
> (or via command line).
> I can obtain TGT tickets with both Leash32 and Network Identity Manager
> tools, but I cannot see where they are stored, if cached (just the same as
> /tmp/krb5cc_1000 file in Linux...) ¿?
> So may be the cuestion should be: How do I configure the ticket cache in
> Windows? Is it mandatory to be configured through LSA?
> Thank you very much, Max!
MIT Kerberos for Windows defaults to using the CCAPI service to store
its credentials. Java does not support the CCAPI. These caches are
named API:<principal> by Network Identity Manager.
The Microsoft LSA Kerberos ticket interface, known to MIT Kerberos for
Windows and Network Identity Manager as MSLSA: provide a readonly
interface. It is not really a cache on XP but a ticket request
interface. If the user logged onto the machine using an active
directory domain account and the machine had network access to the AD
services at the time of login, the LSA interface can be used to request
a Kerberos ticket granting ticket representing the logged on user.
If the Logon Session was not authenticated with Kerberos, then there
will be no ability to request a TGT from the LSA.
Java supports via JAAS the ability to query the LSA for a TGT and it
can also read from a MIT FILE: credential cache. Network Identity
Manager can be configured to store the user's credentials in a
FILE:<drive>:<path> cache which can then be accessed via Java.
If no cached credentials are available, username and password are
used to obtain a TGT and then Java caches that TGT internally.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3368 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20091014/46216870/attachment.bin
More information about the krbdev