Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Java GSS-API and kerberos Service Tickets

843810Dec 9 2008 — edited Dec 9 2008
Can someone please tell me what should be the correct behaviour of Java GSS API if get the service token for Service Principal 1 ( SPN1) and on server accept it using Service Principal 2( SPN2) where both service principal are mapped to single user account in KDC( windows 2003).

I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single user account. for example, if my user account is websvr then i run following command setspn to set these SPN's to websvr account.

setSPN -A HTTP/SPN1@MyRealm websvr
setSPN -A HTTP/SPN2@MyRealm websvr

I have also mapped SPN1 as primary SPN using ktpass mapuser.

In my Java Client program, i request the service ticket for HTTP/SPN2@MyRealm and pass it to Java Server code. On Server side, i have following kerberos config file

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required isInitiator=false
storeKey=true
doNotPrompt=true
useKeyTab=true
keyTab="c://websvrKeys.keytab"
principal="HTTP/SPN1@MyRealm"
realm="MyRealm"
debug=true;
};

Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use isInitiator flag to false to avoid contact with KDC for authentication.

Is this Principal Name is mandatory attribute here ?

Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos config file.

I am seeing following behaviour.

1) Java GSS Server code is able to validate the service ticket ( for SPN2) and on server, we still have SPN1 in conf file. is this correct behaviour ?

It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ?

2) is it possible to accept kerberos ticket using some other GSSName. for example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in my server side code like below :

GSSName sname = mgr.createName("HTTP/SPN2@myRealm, null);

GSSCredential clientCreds = mgr.createCredential(sname,
GSSCredential.DEFAULT_LIFETIME,
krb5Oid,
GSSCredential.ACCEPT_ONLY);

When i do that i get Error "Unable to get kerberos key in keytab." However, i have both SPN1/SPN2 in keytab file.

Note that if in my server code, if i put GNAME as null then JAVa GSS API gets GSSName from kerberos config file by reading principal.

Edited by: shrivastava_anurag on Dec 9, 2008 2:56 PM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jan 6 2009
Added on Dec 9 2008
#kerberos-java-gss-jgss
0 comments
393 views