Forum Stats

  • 3,855,281 Users
  • 2,264,497 Discussions
  • 7,905,963 Comments

Discussions

JAAS and Kerberos

680524
680524 Member Posts: 43
edited Oct 19, 2011 12:36AM in Kerberos & Java GSS (JGSS)
Dear friends,

I am a new guy of JAAS and Kerberos. And I have some questions after saw the Oracle document.

I am using windows xp as the client.
We specify the Krb5LoginModule in the java authentication configuration file to perform the login and authentication. We may also specify
a Callback to the LoginContext. Then the Krb5LoginModule will get the user credentials from the kerberos KDC.

My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
Am I right?
2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need to
specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?

Appreciate your time and help.

Thanks,
Ricky

Answers

  • Weijun
    Weijun Member Posts: 14
    Ricky Ru wrote:

    My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
    the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
    Am I right?
    If you login to Windows as an Active Directory account it already has the credentials cached somewhere. Now if your JAAS config file includes "useTicketCache=true", it will not ask for your password.
    2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need to
    specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
    login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?
    If you are using JDK 7, yes. It recognizes the LOGONSERVER and USERDNSDOMAIN (?) environment variables.

    >
  • 680524
    680524 Member Posts: 43
    I believe it can get the domain from the local machine. But how to know the kdc server? for example, the domain is test.com and the kdc server is kdcserver.test.com.
    How the client know the kdcserver.test.com?
  • Weijun
    Weijun Member Posts: 14
    On Windows, it's the LOGONSERVER environment variable. On other systems, it can get the info from a DNS query.
This discussion has been closed.