You can set system properties programmatically via java.lang.System class :-
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");To specify the JAAS Kerberos Login Configuration file, you can use :-
1) System property "-D||java.security.auth.login.config"
Optionally, you can set it programmatically via :-
System.setProperty("java.security.auth.login.config", jaas.conf);2) Java security properties file
Indicate the URL of the configuration file in the security properties file located at JRE/lib/security/java.security
login.config.url.1=file:C:/jaas.conf
For more information, refer to following websites :- http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
Seema
Bajpai, Atul wrote:
Thanks for your response again Seema. I am able to get SSO to work with J2SE 1.4.2_07. During all this trial and error at some point I had started building and running against 1.4.2_04 and didn't realise the folly since I was always able to get a ticket when I provided my userid and password, when prompted for it. Once I changed back to 1.4.2_07 and turned the debug flag on, Krb5LoginModule is able to get the pricipal from the ticketcache without prompting and eventually I get a Kerberos ticket back in the Subject. Thanks for all the suggestions. Next step is to get this code to run on Linux.I also need to specify all the -D options programmatically. How do I do that? Also is it possible to eliminate the need for the .conf file and specify, the LoginModule to be used, programatically?
thanks Atul Bajpai Development Infrastructure
-----Original Message-----
From: Seema Malkani [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 2:29 PM
To: Bajpai, Atul
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
kerberos@mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
it to work?
As per your earlier email, you had mentioned that SSO works correctly with your "test" account, and you do not get prompted for password. Is this an issue with the another account on the same AD domain ?
JAAS Kerberos login module will acquire the native credentials, provided you have the correct configuration. But if the credential acquisition fails due to some reason, no credentials will be returned; and you'll get a message "null credentials from Ticket Cache".
Can you provide following info: 1) Are you using the latest J2SE 1.4.2_07 ? 2) Do you have any file-based ticket cache on your machine ? Check out any existence of krb5cc_uid in the home dir of the account used. 3) To investigate the failure, please send me a debug output. You can enable Java Kerberos debugging via -Dsun.security.krb5.debug=true
See my comments below in response to your questions.
Seema
Bajpai, Atul wrote:
Hi all,
I am using a JAAS sample to try SSO on windows. My problem is When I use the Krb5LoginModule I am always prompted for a username and password. I want my app to get the kerberos ticket for the currently logged in user (which is me) without being prompted for username/password. To understand the problem I set debug=true and following is the output I get before I get prompted for username/pwd
===================================
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Principal is null
null credentials from Ticket Cache
===========================
My question is
1) Does this mean that ticket cache cannot be found hence a ticket could not be found or just that the ticket cache is empty?
This does not mean that the ticket cache cannot be found. This is because the credential acquisition failed; this could be due to various reasons, such as credentials in the ticket cache were invalid, or did not exist for the requested identity.
2) How do I find out where my ticket cache is and what it has?
You can use Klist.exe tool on Windows to check on the native credentials.
3) When prompted for username/pwd, if I supply either mine or a test account username/pwd, my login succeeds and I get back a subject from the logincontext where I can see a kerberos ticket as part of the private credentials. What could be the reason for my sample app not being able to get a kerberos ticket for the currently logged in user without prompting for username/pwd?
Possibly due to configuration. Please answer the questions above.
Seems like some of you have dealt with JAAS on windows before so I'll really appreciate any pointers I can get on this.
thanks
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
