Discussions
Categories
- 384.6K All Categories
- 2.5K Data
- 556 Big Data Appliance
- 1.9K Data Science
- 451.4K Databases
- 222.1K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 32 Multilingual Engine
- 562 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 561 SQLcl
- 4K SQL Developer Data Modeler
- 187.5K SQL & PL/SQL
- 21.4K SQL Developer
- 296.9K Development
- 1 Application Development
- 18 Developer Projects
- 140 Programming Languages
- 293.6K Development Tools
- 112 DevOps
- 3.1K QA/Testing
- 646.2K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 193 Java Community Process
- 106 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 21 Java Essentials
- 167 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 206 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 537 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 178 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 236 Portuguese
JAAS and Kerberos
680524
Member Posts: 43
Dear friends,
I am a new guy of JAAS and Kerberos. And I have some questions after saw the Oracle document.
I am using windows xp as the client.
We specify the Krb5LoginModule in the java authentication configuration file to perform the login and authentication. We may also specify
a Callback to the LoginContext. Then the Krb5LoginModule will get the user credentials from the kerberos KDC.
My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
Am I right?
2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need to
specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?
Appreciate your time and help.
Thanks,
Ricky
I am a new guy of JAAS and Kerberos. And I have some questions after saw the Oracle document.
I am using windows xp as the client.
We specify the Krb5LoginModule in the java authentication configuration file to perform the login and authentication. We may also specify
a Callback to the LoginContext. Then the Krb5LoginModule will get the user credentials from the kerberos KDC.
My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
Am I right?
2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need to
specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?
Appreciate your time and help.
Thanks,
Ricky
Answers
-
Ricky Ru wrote:If you login to Windows as an Active Directory account it already has the credentials cached somewhere. Now if your JAAS config file includes "useTicketCache=true", it will not ask for your password.
My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
Am I right?2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need toIf you are using JDK 7, yes. It recognizes the LOGONSERVER and USERDNSDOMAIN (?) environment variables.
specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?
> -
I believe it can get the domain from the local machine. But how to know the kdc server? for example, the domain is test.com and the kdc server is kdcserver.test.com.
How the client know the kdcserver.test.com? -
On Windows, it's the LOGONSERVER environment variable. On other systems, it can get the info from a DNS query.
This discussion has been closed.