0 Replies Latest reply on Oct 5, 2011 6:38 PM by 892697

    SPNEGO authn with Kerberos token - multiple KDC in different domains

      I am doing SPNEGO Authentication (on server side) with kerberos tokens with a win xp client workstation, a win 2k8 kdc and my tomcat webapp (appsvr) on linux using sun jgss. Following the java tutorial, it works with single kdc.
      Firstly, I was wondering why do we need to specify a KDC at all on my app server ? If the authentication happens by using the key in keytab file (to decrypt the token) then why does my appsvr even has to authenticate/contact to KDC ?? Seems like the trust is solely placed on the key in keytab.

      mutilple kdc/domain
      I understand there are a few ways to do this. Wanted to validate if I am on right track -

      Presuming, I can use transitive/explicit trusts between the KDCs - This way the client (and kdc)) does all to get the right service-tkt. My appsvr is configured with only one kdc which has spn account. Is that correct ?

      So, I was wondering if at any point (in some different topology) do I have to configure mutiple KDCs on my appsvr like using [domain_realms] or [capaths] in krb5.conf ? In which case how do we configure the jaas config file (for multiple kdc/realms) as it has spn (which will reflect different realm) defined in there. I am assuming I will have to have different SPNs for the accounts in different KDCs ? what does this solve ?

      Also, we probably will need multiple GSSContexts (for different SPNs) and we need to try (acceptSecContext) them all for each user authentication ? I am sure I am missing something somewhere...

      Any light shed on any of these aspects is greatly appreciated.

      Edited by: 889694 on Oct 5, 2011 12:13 PM

      Edited by: 889694 on Oct 5, 2011 12:19 PM

      Edited by: 889694 on Oct 5, 2011 12:36 PM