This discussion is archived
1 Reply Latest reply: Oct 29, 2009 5:25 PM by 843810 RSS

keytab and KDC question

843810 Newbie
Currently Being Moderated

I was wondering if a keytab is enough for validating a kerberos ticket. Or does the GSS implementation definitely need to talk to the KDC?

Reason for asking is that if an application server is hosted in somewhat like a DMZ or on site at an ASP it might not be able to talk to the KDC.

I have written a sample code for ticket validation but it does not work, maybe I'm doing something wrong or didn't understand kerberos at all :( I should add, that the code does work, when it has direct access to the KDC, but not if it has no access.

my krb5.ini is:
default_realm = SST.LOCAL

  kdc = SST-DC1

     kdc = RMS-DC1
My jaas config is
csb-config { required
And the code for validation is:
     public String validateToken(final byte[] kerberosToken) {
          Subject subject = context.getSubject();
          String loginName = Subject.doAs(subject, new PrivilegedAction<String>() {

               public String run() {
                    String name = null;
                    GSSManager manager = GSSManager.getInstance();
                    GSSContext ctx;
                    try {
                         ctx = manager.createContext((GSSCredential) null);
                         ctx.acceptSecContext(kerberosToken, 0,kerberosToken.length);
                         if (!ctx.isEstablished()) {
                              throw new RuntimeException("GSSContext is not established!");
                         name = ctx.getSrcName().toString();
                    } catch (GSSException e) {
                         throw new RuntimeException("Kerberos token validation failed. "+e.getMessage(),e);
                    return name;
          return loginName;
The only defined system property is:

The context refered to in the code is a LoginContext created using the service principal and it's password. The keytab contains the service principals key and the KDC's private key.

Is there something wrong?


Edited by: StephanTheNumb on 28.10.2009 15:51