3 Replies Latest reply on Mar 15, 2010 1:43 AM by 843810

    Authenticating Host SPN using Kerberos Login module


      I have written an application that needs to support Java GSS based context establishment using Java's Kerberos Login module with the clients.This application is hosted in Tomcat and I have a limitation that tomcat is running as "LocalSystem" account on the host machine(Not to confuse with Administrator account on the host machine) so it is not having password.
      On the AD to which this host is connected has SPN registered for this host machine like any other computer account. But my doubt is how will I authenticate my application(Using Kerberos Login module) using that Host SPN if I do not have any password for the "LocalSystem". I am giving user name as "HOST/<machine-name", or "<machine-name>" but it fails at the application side saying no encryption key found. If I try to give some random password I get error message from AD saying that Pre Authentication failed.

      Without authentication my application to AD I am not able to get the Kerberos Key which is required for context establishment for GSS.

      Any help in this regard will be really helpful.

        • 1. Re: Authenticating Host SPN using Kerberos Login module
          My guess is that it just does not work here. If you're writing a native application, there are Windows APIs that grabs credentials for itself based on that unknown password (or secret key) of the local system account. But in Java a server side application of JGSS-API uses a keytab to get this credential.

          Is it possible for you to config the tomcat server to run with a given account (instead of LocalSystem) and create a keytab for it?
          • 2. Re: Authenticating Host SPN using Kerberos Login module
            Thanks for your response!

            My application is just an authentication module in a bigger application which is not under my control. This application is hosted on Apache Tomcat and provide both the options to run as "LocalSystem" account and domain account. So I have to provide support for both the options.

            I am getting increasingly convinced that Java Kerberos module can't handle the authentication for "LocalSystem" account and I need to opt for some Windows Native Apis for that. If that is the case Can someone tell me how can i proceed for that. I have no idea which Windows apis to use for it.


            Edited by: Java-Dev-01 on Mar 14, 2010 6:03 AM
            • 3. Re: Authenticating Host SPN using Kerberos Login module
              The Windows APIs are InitializeSecurityContext, AcquireCredentialsHandle etc etc. Search for them on MSDN for details.

              I guess you can wrap them into a JNI library and still write your main program in Java.