This discussion is archived
0 Replies Latest reply: Oct 5, 2011 11:38 AM by 892697 RSS

SPNEGO authn with Kerberos token - multiple KDC in different domains

892697 Newbie
Currently Being Moderated
I am doing SPNEGO Authentication (on server side) with kerberos tokens with a win xp client workstation, a win 2k8 kdc and my tomcat webapp (appsvr) on linux using sun jgss. Following the java tutorial, it works with single kdc.
Firstly, I was wondering why do we need to specify a KDC at all on my app server ? If the authentication happens by using the key in keytab file (to decrypt the token) then why does my appsvr even has to authenticate/contact to KDC ?? Seems like the trust is solely placed on the key in keytab.

mutilple kdc/domain
I understand there are a few ways to do this. Wanted to validate if I am on right track -

Presuming, I can use transitive/explicit trusts between the KDCs - This way the client (and kdc)) does all to get the right service-tkt. My appsvr is configured with only one kdc which has spn account. Is that correct ?

So, I was wondering if at any point (in some different topology) do I have to configure mutiple KDCs on my appsvr like using [domain_realms] or [capaths] in krb5.conf ? In which case how do we configure the jaas config file (for multiple kdc/realms) as it has spn (which will reflect different realm) defined in there. I am assuming I will have to have different SPNs for the accounts in different KDCs ? what does this solve ?

Also, we probably will need multiple GSSContexts (for different SPNs) and we need to try (acceptSecContext) them all for each user authentication ? I am sure I am missing something somewhere...

Any light shed on any of these aspects is greatly appreciated.

Edited by: 889694 on Oct 5, 2011 12:13 PM

Edited by: 889694 on Oct 5, 2011 12:19 PM

Edited by: 889694 on Oct 5, 2011 12:36 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points