This discussion is archived
1 Reply Latest reply: Oct 29, 2009 5:25 PM by 843810 RSS

keytab and KDC question

843810 Newbie
Currently Being Moderated
Hi,

I was wondering if a keytab is enough for validating a kerberos ticket. Or does the GSS implementation definitely need to talk to the KDC?

Reason for asking is that if an application server is hosted in somewhat like a DMZ or on site at an ASP it might not be able to talk to the KDC.

I have written a sample code for ticket validation but it does not work, maybe I'm doing something wrong or didn't understand kerberos at all :( I should add, that the code does work, when it has direct access to the KDC, but not if it has no access.

my krb5.ini is:
[libdefaults]
default_realm = SST.LOCAL

[realms]
SST.LOCAL = {
  kdc = SST-DC1
}

SER.NET = {
     kdc = RMS-DC1
}
My jaas config is
csb-config {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C://KeyTabSerNet"
storeKey=true
doNotPrompt=true
useTicketCache=false;
};
And the code for validation is:
     public String validateToken(final byte[] kerberosToken) {
          Subject subject = context.getSubject();
          
          String loginName = Subject.doAs(subject, new PrivilegedAction<String>() {

               public String run() {
                    String name = null;
                    GSSManager manager = GSSManager.getInstance();
                    GSSContext ctx;
                    try {
                         ctx = manager.createContext((GSSCredential) null);
                         ctx.acceptSecContext(kerberosToken, 0,kerberosToken.length);
                         if (!ctx.isEstablished()) {
                              throw new RuntimeException("GSSContext is not established!");
                         }
                         name = ctx.getSrcName().toString();
                    } catch (GSSException e) {
                         throw new RuntimeException("Kerberos token validation failed. "+e.getMessage(),e);
                    }
                    return name;
               }
          });
          
          return loginName;
     }
The only defined system property is: -Djava.security.auth.login.config=./jaas.conf

The context refered to in the code is a LoginContext created using the service principal and it's password. The keytab contains the service principals key and the KDC's private key.

Is there something wrong?

Thanks
Stephan

Edited by: StephanTheNumb on 28.10.2009 15:51