Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Single Sign On using Kerberos and Active Directory

843810Mar 9 2007 — edited Jan 11 2008
I am attempting to write a proof of concept of Single Sign On using Kerberos and Active Directory.

I have searched through these forums and found several suggestions which I have attempted to use, in fact my code snippet below comes from these forums.

I have set the registry setting (allowtgtsessionkey) on (both of) our Windows 2000 SP4 Active Directory Servers.

As an aside there seems to be a difference of opinion as to whether this is a REG_DWORD or REG_SZ see (but I have tried both):
http://support.microsoft.com/kb/308339 and
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

I have ticked the check box "Use DES Encryption" against my test user and reset the password in Active Directory.

I still get the error message "KDC has no support for encryption type (14)", what have I missed? Has anyone got this working?

I am using Java version 1.5.0_11

This is the configuration file I used: 
JaasSample {
   com.sun.security.auth.module.Krb5LoginModule required client=true debug=true useTicketCache=true doNotPrompt=true;
};
com.sun.security.jgss.initiate { 
   com.sun.security.auth.module.Krb5LoginModule required client=true debug=true useTicketCache=true doNotPrompt=true;
};
This is the code I am using: 
public class KerberosExample {

    public static void main(String[] args) {

        java.util.Properties p = new java.util.Properties(System.getProperties());
        //p.setProperty("java.security.krb5.conf", KRB5_CONF);
        p.setProperty("java.security.krb5.realm", REALM);
        p.setProperty("java.security.krb5.kdc", KDC);
        p.setProperty("java.security.auth.login.config", LOGIN_CONFIG);
        p.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
        p.setProperty("sun.security.krb5.debug", "true");
        System.setProperties(p);

        LoginContext lc = null;
        try {
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
            lc.login();
        } catch (LoginException le) {
            System.err.println("Authentication attempt failed" + le);
            System.exit(-1);
        }

        Subject.doAs(lc.getSubject(), new LDAPAction());
    }
}

class LDAPAction implements java.security.PrivilegedAction {

    public Object run() {
        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, KerberosExample.LDAP_URL);
        env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
        env.put("javax.security.sasl.server.authentication", "true");

        try {
            DirContext ctx = new InitialDirContext(env);

            Attributes aAnswer = ctx.getAttributes(KerberosExample.USER_ACCOUNT);
            NamingEnumeration enumUserInfo = aAnswer.getAll();
            while (enumUserInfo.hasMoreElements()) {
                System.out.println(enumUserInfo.nextElement().toString());
            }
            ctx.close();
        } catch (NamingException e) {
            e.printStackTrace();
        }
        return null;
    }
}
Any help would be gratefully received.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Feb 8 2008
Added on Mar 9 2007
#kerberos-java-gss-jgss
12 comments
1,505 views