Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos - how do I obtain a service ticket?

843810Feb 6 2008 — edited Jun 2 2008
Hi, I've been going over the forums and google for several days trying to make sense of Kerberos v5, GSS, JAAS etc and need some help putting the bits together as everything that I read just ends up confusing me more and more.

1. I can successfully login to our Active Directory using a LoginContext (Active Directory is the KDC).
2. I retrieve a Subject from this context. The Subject contains a ticket and a session key.

I assume that the ticket is the TGT?

From this step I want to get a service ticket for my Java client program, so it can talk to a server. The communications will be over SOAP.

So from what I've read, I need my client to perform the following steps:

3. Talk to the KDC again and say "I now want to talk to server X - can you send me a service ticket?".
4. Get service ticket from KDC, which has been encrypted somehow so that the server knows how to unencrypt it.
5. Send the service ticket to the server, in a SOAP security header.
6. Server gets service ticket, unencrypts it and knows who the client was and that they are authentic.

Is this generally correct?

Does anyone know what the exact code is to perform step 3 and step 6?

Also, note that while I can login successfully, when creating a GSSContext for the SOAP web service, I always get the GSSException *"No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)"* when trying to call initSecContext(). I have created the security principal in Active Directory for the web service, and used setspn.exe and ktpass.exe to assign server name mappings to them user also.

Thanks heaps if anyone can help!

Edited by: antsb on Feb 6, 2008 8:00 PM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 30 2008
Added on Feb 6 2008
15 comments
1,234 views