This content has been marked as final. Show 4 replies
Do you have any suggestion?
This MS "feature" does not allow a complete (and useful) Kerberos 5 credentials to be acquired from the LSA cache. Either you change the registry value, or you use a pure Java approach, this means calling kinit to get a non-LSA based cache, or providing username/password to Krb5LoginModule directly.
We've tried experiments to call Windows APIs to acquire service ticket (instead of TGT) from LSA. The service ticket does come with a non-zero session key so that GSS communications with the service can be performed. However, if you want to do credentials delegation you still have to get a FORWARDED TGT, and this time the session key is zero again. Delegation plays a very important part in Kerberos and GSS, to provide the same user experience on all supported platforms, we cannot go this way.
This is an old thread, but one of my clients has run into the same problem. Hopefully someone is still monitoring....
The answer is that the implementation should not be trying to do anything directly with keys. Delegation works just fine if it has been configured correctly in AD. Simply impersonate the context on the server side and then call the appropriate API to get a new service ticket and it will use the forwarded TGT. Credential delegation solved.
MS was correct to "fix" the session key interface since it allowed user code to attain a "password equivalent". The JAAS implementation should be fixed to use the Windows authentication interfaces correctly.
Feel free to contact me offline for more information or pointers at email@example.com (remove the no-spams).
I'm curious whether there is any alternative to changing the registry?
We have a java web start application that we want to use integrated windows authentication, then use kerberos to authenticate against the database.
From reading up on the subject for a couple of hours it seems that it should be possible - although it requires this registry change - or purchasing a commercial product.
If I've missed something - please let me know!
Thanks - Bryan
Well, say thank you to Microsoft. As far as I know the TGT is stored in memory and not on disk like in UNIX. I not aware of any other way besides the registry hack. It works flawlessly at work.