This discussion is archived
3 Replies Latest reply: Oct 18, 2011 9:36 PM by Weijun RSS

JAAS and Kerberos

680524 Newbie
Currently Being Moderated
Dear friends,

I am a new guy of JAAS and Kerberos. And I have some questions after saw the Oracle document.

I am using windows xp as the client.
We specify the Krb5LoginModule in the java authentication configuration file to perform the login and authentication. We may also specify
a Callback to the LoginContext. Then the Krb5LoginModule will get the user credentials from the kerberos KDC.

My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
     the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
     Am I right?
2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need to
specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?

Appreciate your time and help.

Thanks,
Ricky
  • 1. Re: JAAS and Kerberos
    Weijun Newbie
    Currently Being Moderated
    Ricky Ru wrote:

    My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
         the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
         Am I right?
    If you login to Windows as an Active Directory account it already has the credentials cached somewhere. Now if your JAAS config file includes "useTicketCache=true", it will not ask for your password.
    2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need to
    specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
    login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?
    If you are using JDK 7, yes. It recognizes the LOGONSERVER and USERDNSDOMAIN (?) environment variables.

    >
  • 2. Re: JAAS and Kerberos
    680524 Newbie
    Currently Being Moderated
    I believe it can get the domain from the local machine. But how to know the kdc server? for example, the domain is test.com and the kdc server is kdcserver.test.com.
    How the client know the kdcserver.test.com?
  • 3. Re: JAAS and Kerberos
    Weijun Newbie
    Currently Being Moderated
    On Windows, it's the LOGONSERVER environment variable. On other systems, it can get the info from a DNS query.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points