This content has been marked as final. Show 3 replies
Ricky Ru wrote:If you login to Windows as an Active Directory account it already has the credentials cached somewhere. Now if your JAAS config file includes "useTicketCache=true", it will not ask for your password.
My question are 1)As we know, in windows, sometimes, we are not prompted to input the username/password by the callback but
the application can obtain it. why? I think it is because we configure the windows register to cache the Subject to support the kerberos(adding parameter allowtgtsessionkey with value 1). When user logins to windows, the authentication is done by the LDAP(AD) server and the Subject is cached in local.
Am I right?
2) How the Krb5LoginModule get the user credentials from kerberos KDC(Subject subject=loginContext.getSubject())? Although, Oracle's document indicates that we need toIf you are using JDK 7, yes. It recognizes the LOGONSERVER and USERDNSDOMAIN (?) environment variables.
specify the -Djava.security.krb5.realm=<your_realm> and -Djava.security.krb5.kdc=<your_kdc> for the login. But I did not use this two parameter and I still could
login successfully. Could you please explain this? Does the application know the realm and kdc from the current opration system(windows)?
I believe it can get the domain from the local machine. But how to know the kdc server? for example, the domain is test.com and the kdc server is kdcserver.test.com.
How the client know the kdcserver.test.com?
On Windows, it's the LOGONSERVER environment variable. On other systems, it can get the info from a DNS query.