If you are using native ticket cache, Java Krb5LoginModule will obtain the native TGT from the ticket cache via LSA API. If you are using a file-based ticket cache, Java Krb5LoginModule will obtain the TGT from your file-based cache. However if the ticket obtained from the ticket cache is no longer valid, Java Krb5LoginModule will prompt for username/password.
Did you use kinit to obtain the TGT ? If you did, then Java Krb5LoginModule will first fetch the ticket from the file-based ticket cache if it exists. In your case probably the TGT in the file-based ticket cache has expired. Check if you have a krb5cc_uid file in your home directory on Windows. If you do, then I would suggest that you remove this file. Now Java Krb5LoginModule will obtain the TGT from the native ticket cache via LSA, and SSO should work now. When prompted for username/password, the TGT obtained is not stored in any file-based cache, it will be stored in the JAAS subject. If the TGT already exists in the JAAS subject, it will be used for authentication. Do you have a file-based ticket cache in your home dir ? Did you change the Kerberos principal name used by your Java application ? Did you log-in as a different user ? Please send me further details on your usage. Seema Miika Parvio wrote: >Hello! > >I have managed to get to work SSO authentication between windows XP >(sp2) and windows server 2003. So when user is logged in to windows and >starts application, which I have made, authentication is done by >Krb5LoginModule. If TGT is found from the cache, authentication is >succesfull, otherwise Krb5LoginModule asks username and password of the >user. I'm using the latest JDK (1.5). Everything has been worked very >well,but today I noticed that SSO didn't worked after I had logged in. I >also noticed, that if I locked and unlocked my workstation SSO started >to work in my Java application. I repeated the following sequence many >times: > >1. Log on to windows XP >2. Start my Java application and try single sign on >3. SSO failed (not TGT in cache) >4. Application asks username and password >5. Username and password authentication was succesfull >6. Lock workstation >7. Unlock workstation >8. Start my Java application and try single sign on >9. Authentication is succeeded >10. Log out MOVE TO step 1. > >It seems that after logon, the TGT isn't in the cache, but after lock >and unlock operations the TGT is in the cache. > >I think everything worked in the last week. I have checked, that >following registry key is set to value 0x01 >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\allowTGTSessionKey > >DES encrypting is turned on in my acount(JSSE and Krb5LoginModule >requires it) > >So what else? I have installed some security updates of windows during >this week. Can those updates broke the SSO functionality? > >Miika > > > > > >________________________________________________ >Kerberos mailing list Kerberos@mit.edu >https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos