Kerberos - how do I obtain a service ticket?
843810Feb 6 2008 — edited Jun 2 2008Hi, I've been going over the forums and google for several days trying to make sense of Kerberos v5, GSS, JAAS etc and need some help putting the bits together as everything that I read just ends up confusing me more and more.
1. I can successfully login to our Active Directory using a LoginContext (Active Directory is the KDC).
2. I retrieve a Subject from this context. The Subject contains a ticket and a session key.
I assume that the ticket is the TGT?
From this step I want to get a service ticket for my Java client program, so it can talk to a server. The communications will be over SOAP.
So from what I've read, I need my client to perform the following steps:
3. Talk to the KDC again and say "I now want to talk to server X - can you send me a service ticket?".
4. Get service ticket from KDC, which has been encrypted somehow so that the server knows how to unencrypt it.
5. Send the service ticket to the server, in a SOAP security header.
6. Server gets service ticket, unencrypts it and knows who the client was and that they are authentic.
Is this generally correct?
Does anyone know what the exact code is to perform step 3 and step 6?
Also, note that while I can login successfully, when creating a GSSContext for the SOAP web service, I always get the GSSException *"No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)"* when trying to call initSecContext(). I have created the security principal in Active Directory for the web service, and used setspn.exe and ktpass.exe to assign server name mappings to them user also.
Thanks heaps if anyone can help!
Edited by: antsb on Feb 6, 2008 8:00 PM