I am doing SPNEGO Authentication (on server side) with kerberos tokens with a win xp client workstation, a win 2k8 kdc and my tomcat webapp (appsvr) on linux using sun jgss. Following the java tutorial, it works with single kdc.
Firstly, I was wondering why do we need to specify a KDC at all on my app server ? If the authentication happens by using the key in keytab file (to decrypt the token) then why does my appsvr even has to authenticate/contact to KDC ?? Seems like the trust is solely placed on the key in keytab.
I understand there are a few ways to do this. Wanted to validate if I am on right track -
Presuming, I can use transitive/explicit trusts between the KDCs - This way the client (and kdc)) does all to get the right service-tkt. My appsvr is configured with only one kdc which has spn account. Is that correct ?
So, I was wondering if at any point (in some different topology) do I have to configure mutiple KDCs on my appsvr like using [domain_realms] or [capaths] in krb5.conf ? In which case how do we configure the jaas config file (for multiple kdc/realms) as it has spn (which will reflect different realm) defined in there. I am assuming I will have to have different SPNs for the accounts in different KDCs ? what does this solve ?
Also, we probably will need multiple GSSContexts (for different SPNs) and we need to try (acceptSecContext) them all for each user authentication ? I am sure I am missing something somewhere...
Any light shed on any of these aspects is greatly appreciated.