1 Reply Latest reply: Oct 29, 2009 7:25 PM by 843810 RSS

    keytab and KDC question


      I was wondering if a keytab is enough for validating a kerberos ticket. Or does the GSS implementation definitely need to talk to the KDC?

      Reason for asking is that if an application server is hosted in somewhat like a DMZ or on site at an ASP it might not be able to talk to the KDC.

      I have written a sample code for ticket validation but it does not work, maybe I'm doing something wrong or didn't understand kerberos at all :( I should add, that the code does work, when it has direct access to the KDC, but not if it has no access.

      my krb5.ini is:
      default_realm = SST.LOCAL
      SST.LOCAL = {
        kdc = SST-DC1
      SER.NET = {
           kdc = RMS-DC1
      My jaas config is
      csb-config {
      com.sun.security.auth.module.Krb5LoginModule required
      And the code for validation is:
           public String validateToken(final byte[] kerberosToken) {
                Subject subject = context.getSubject();
                String loginName = Subject.doAs(subject, new PrivilegedAction<String>() {
                     public String run() {
                          String name = null;
                          GSSManager manager = GSSManager.getInstance();
                          GSSContext ctx;
                          try {
                               ctx = manager.createContext((GSSCredential) null);
                               ctx.acceptSecContext(kerberosToken, 0,kerberosToken.length);
                               if (!ctx.isEstablished()) {
                                    throw new RuntimeException("GSSContext is not established!");
                               name = ctx.getSrcName().toString();
                          } catch (GSSException e) {
                               throw new RuntimeException("Kerberos token validation failed. "+e.getMessage(),e);
                          return name;
                return loginName;
      The only defined system property is: -Djava.security.auth.login.config=./jaas.conf

      The context refered to in the code is a LoginContext created using the service principal and it's password. The keytab contains the service principals key and the KDC's private key.

      Is there something wrong?


      Edited by: StephanTheNumb on 28.10.2009 15:51