Please check the service principal name that you pass as args[0] in your
code.
Here is an example:
Oid krb5 = new Oid(1.2.840.113554.1.2.2);
// create a host based service name
GSSName name = manager.createName([EMAIL PROTECTED],
GSSName.NT_HOSTBASED_SERVICE, krb5);
Seema
Check out the white paper on SSO in Java:
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/single-signon.html
Seema
[EMAIL PROTECTED] wrote:
Hi,
I have query in SSO using Kerberos in Java.
I have one scenario like,
User loggs in with same user id from two different
options.
Can you recommend futher action?
Thanks,
Mike
On Tue, 07 Nov 2006 12:16:22 -0800
Seema Malkani [EMAIL PROTECTED] wrote:
What version of JDK are you using ? Sun's implementation of Java GSS
includes support for SPNEGO starting from Java SE 6.
Has the SPN been setup correctly
What version of JDK are you using ? Sun's implementation of Java GSS
includes support for SPNEGO starting from Java SE 6.
Has the SPN been setup correctly ?
Seema
Michael B Allen wrote On 11/06/06 11:26,:
I wrote an SPNEGO Java Servlet Filter that decodes the SPNEGO token,
plucks out the krb5
The algorithm names for Kerberos RC4-HMAC encryption type are:
- rc4-hmac
- arcfour-hmac
- arcfour-hmac-md5
Makes sure you have setup the Kerberos account and Kerberos
configuration to use RC4-HMAC encryption type.
Seema
Michael B Allen wrote On 11/06/06 20:33,:
What is the algorithm name for
JAAS supports the notion of stacked LoginModules. These configuration
options enable to share username and passwords across different
authentication modules.
You'll to first need to use the storePass option in your first login
module to store the username/password in the shared state. Then the
Here are your options:
1) Install the Kerberos configuration file instead of using system
properties
java.security.krb5.kdc and java.security.krb5.realm.
2) Set system properties via java.lang.System class
e.g System.setProperty(javax.security.auth.useSubjectCredsOnly, false);
3) Configure the
The JAAS Krb5LoginModule allows to generate keys using passwords, which
is when the server would need to contact the KDC. Currently, the JAAS
Krb5LoginModule does not make the distinction of client/server, server
can be an acceptor and initiator i.e. both, hence a TGT is acquired.
The usage
This configuration option in JAAS Krb5LoginModule will be backported to
JDK 5.0 Update release, and JDK 1.4.2, don't have the exact release
details available as yet.
No, server will acquire credentials from the keytab, if you provide the
configuration option to specify the keytab file.
The default credential acquisition model for Java GSS-API requires
credentials to be present in the current Subject. Typically, the
credentials are placed there after a JAAS login by the application.
Client and server applications typically perform JAAS authentication
using the Kerberos login
:50:52 -0700
Seema Malkani [EMAIL PROTECTED] wrote:
Support for RC4-HMAC is available starting from J2SE 5.0 Update 7.
snip
3) Update Kerberos configuration file to include following:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
Hi Semma
Yes. Sun's implementation of Java GSS/Kerberos is fully interoperable
with MIT GSS/Kerberos implementation.
Seema
Fredrik Tolf wrote On 08/21/06 12:48,:
Dear List,
I'm intending to write a network client kind of program that's supposed
to run on Windows, so I decided it to write it in Java,
Sun's implementation of Java GSS/Kerberos implementation is fully
interoperable with MIT/Solaris/Linux/Windows GSS/Kerberos
implementations. Tokens generated by Java are accepted by all other
GSS/Kerberos implementations.
I'll look into this, and get back to you.
Seema
Salil Dangi wrote:
I
If you are using system properties to specify KDC/realm, you'll need to
update this to specify krb5.conf
Use java.security.krb5.conf=/etc/krb5.conf
Instead of java.security.krb5.realm, java.security.krb5.kdc
Seema
vpouli wrote On 04/27/06 04:48,:
First of all, thanks for your help!
I tried
The Kerberos service ticket is stored in the Subject's private
credentials, after successful authentication, if useSubjectCredsOnly
property is set to true. This feature is available starting from J2SE 1.4.2.
Seema
[EMAIL PROTECTED] wrote On 02/14/06 03:18,:
hello this is zaheer here.. i am a
Douglas E. Engert wrote:
Laurence Brockman wrote:
Tried that already too and received:
GSSException: GSSException: No valid credentials provided (Mechanism
level:
Failed to find any Kerberos Key)
Then you have to get the key into the keytab. This is the way a server
works,
It does
Laurence Brockman wrote:
[EMAIL PROTECTED] laurence]# more /tmp/jaas.conf
/** Login Configuration
**/
JaasServer {
com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true
storeKey=true keyTab=/etc/krb5.keytab;
};
*Code from GSSAuthorizor:*
GSSManager manager =
Douglas E. Engert wrote On 11/30/05 08:27,:
Laurence wrote:
Hey guys, hopefully someone can help me out here.
I am having a problem with authenticating a user to a KDC (I believe
the MIT reference implementation) using Java (JDK1.5 and JDK1.4)
through GSS.
Here is the background:
I have
It appears that your application is looking for
host/[EMAIL PROTECTED] service principal, but you have setup keytab
with keys for HTTP/[EMAIL PROTECTED] service principal. Please update
your application with the expected service principal
HTTP/[EMAIL PROTECTED]
Seema
david.turing wrote On
You can refer to Java GSS tutorials which includes sample code:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
Check out the JavaOne 2005 Security Lab which also includes sample code:
1310 - Advanced Security Programming in the J2SE Platform : Authentication,
Secure
releases of JDK.
Seema
Markus Moeller wrote:
Will Mustang finally include arcfour-hmac Kerberos ciphers to et more then
DES encryption when used with MS ?
Thanks
Markus
Seema Malkani [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Sun's implementation of Java Kerberos has been
],
Seema Malkani [EMAIL PROTECTED] wrote:
Sun's implementation of Java Kerberos has been updated to include
support for the new Pre-authentication types. This support is available
starting from Java SE 6.0 (Mustang Release). In addition, we are also
looking into backporting this support to earlier
There are no restrictions to password length in Java. Check your Java
Servlet code. Possibly you have specified a password size in the HTML file.
Seema
[EMAIL PROTECTED] wrote:
Hi NG,
I use Java 1.4.2 and a Servlet in which I do a password authentication
against
the Active Directory. It works
/jdk6/binaries/
We are looking into backporting, but currently don't have any backports
ready as yet.
Seema
Douglas E. Engert wrote:
Seema Malkani wrote:
Sun's implementation of Java GSS/Kerberos supports DES, 3DES, RC4-HMAC
(ARCFOUR-HMAC), AES128, AES256 Kerberos encryption types.
Support
the salt from the KDC.
I see the ietf-krb-wg will be having a meeting and Microsoft will be
hosting
an interoperability event after the meeting. I would suggest that the
Java SUN
people participate, I would like to see this problem solved.
Seema Malkani wrote:
Douglas E. Engert wrote
Sun's implementation of Java GSS/Kerberos will use the TGT from the
Subject, and obtain the Kerberos service Ticket. The Kerberos Service
Ticket is also stored in the Subject's private Credentials. After
successful Kerberos authentication, you can retrieve it from the JAAS
Subject.
Seema
Veeru
Such an error is returned if DES computation on the checksum failed.
Have you configured to use the DES encryption type ? Is this error
returned when using J2SE 1.4 or J2SE 1.5 ? Can you provide more details
on this.
Seema
hunterae wrote:
I am having a problem that may seem to indicate an
Here are the KerberosTicket time details:
starttime specifies the time after which the ticket is valid.
endtime specifies it's expiration time.
authtime specifies the time of initial authentication for the principal.
The max lifetime of the Kerberos ticket is defined by the KDC (typically
8
Sun's implementation of Java GSS/Kerberos now supports AES128, AES256,
RC4-HMAC, 3DES and DES encryption types.
Support for 3DES (des3-cbc-sha1-kd) encryption type is available in J2SE
1.5.0 onwards.
Support for AES128, AES256, and RC4-HMAC encryption types is available
in the next J2SE release
For Java application to authenticate against Windows KDC, you will need
configure the Windows 2000 KDC to use DES. Select use DES encryption
in the Active Directory account settings, and reset the password.
Seema
ted_trippin wrote:
Hi,
I have a little java app that can authenticate against my
this code to run on Linux.I also need to specify all the -D
options programmatically. How do I do that? Also is it possible to
eliminate the need for the .conf file and specify, the LoginModule to be
used, programatically?
thanks
Atul Bajpai
Development Infrastructure
-Original Message-
From: Seema
As per your earlier email, you had mentioned that SSO works correctly
with your test account, and you do not get prompted for password. Is
this an issue with the another account on the same AD domain ?
JAAS Kerberos login module will acquire the native credentials, provided
you have the
Although currently Java Kerberos does not support RC4-HMAC etype, this
is not a problem with the encryption type.
JAAS Kerberos authentication does succeed when the user provides the
login/password; this means user has enabled DES for this account. If
the AD account settings have use DES
Infrastructure
-Original Message-
From: Seema Malkani [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 17, 2005 3:55 PM
To: Bajpai, Atul
Cc: kerberos@mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2
You can refer to Java GSS tutorials for sample code:
http://java.sun.com/j2se/1.5.0/docs
to be done?
--Dave
[EMAIL PROTECTED] wrote:
Date: Tue, 22 Feb 2005 10:10:15 -0800
From: Seema Malkani [EMAIL PROTECTED]
To: Wells, Bruce [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Cc: Kerberos MIT kerberos@mit.edu
Subject: Re: Acquiring credentials for a Principal in Java on XP client
Message-ID
If you are using native ticket cache, Java Krb5LoginModule will obtain
the native TGT from the ticket cache via LSA API. If you are using a
file-based ticket cache, Java Krb5LoginModule will obtain the TGT from
your file-based cache. However if the ticket obtained from the ticket
cache is no
When prompted for username/password using Java Krb5LoginModule, the TGT
obtained is not stored in any file-based cache, it will be stored in the
JAAS subject. If the TGT already exists in the JAAS subject, it will be
used for authentication.
Please read my email in response to your question on
Douglas E. Engert wrote:
MWChapel wrote:
which it fails, and since the pa-enc-timestamp is included,
windows should throw a KDC_ERR_PREAUTH_FAILED(24) as per rfc1510. But
the previous note is stating that we aren't handling the error 24. That
is where I tend to disagree, with the
-authentication type was not
present in RFC 1510.
Seema
Douglas E. Engert wrote:
Seema Malkani wrote:
Sun's implementation of Java GSS/Kerberos currently supports
PA-ENC-TIMESTAMP as per RFC 1510. The new pre-authentication types
specified in the Kerberos clarifications provide additional
pre
Following up on this email..
(this apparently got filtered with MIT alias)
Java GSS/Kerberos does support TCP
Sun's implementation of Java Kerberos now supports automatic fallback to
TCP. Therefore, if the Kerberos ticket request using UDP fails and the
KDC returns
udp_preference_limit =1 to always use TCP.
Seema
Douglas E. Engert wrote:
Seema Malkani wrote:
Following up on this email..
(this apparently got filtered with MIT alias)
Can you answer the other question in the user's orginal question?
He needs both TCP and RC4/HMAC. When will the Sun Java
Sun's implementation of Java GSS/Kerberos currently supports
PA-ENC-TIMESTAMP as per RFC 1510. The new pre-authentication types
specified in the Kerberos clarifications provide additional
pre-authentication. Support for these new pre-authentication types
PA-ETYPE-INFO and PA-ETYPE-INFO2 will
Alex,
Currently Sun's implementation of Java GSS does not support RC4-HMAC.
Java GSS/Kerberos in J2SE 1.5 supports 3DES and DES enctypes.
Hence the error.
Make sure you select use DES encryption type for Kerberos account
in the Windows KDC.
Hope this helps.
Seema
Don Alex wrote:
Hi doc:
I am
---BeginMessage---
Alex,
Please check your Kerberos configuration and Kerberos principals set-up
for client and server. When you run the SampleClient, you need to
provide the client principal, assigned for Kerberos authentication, for
e.g.[EMAIL PROTECTED]. And the host-based service
Typically the error Integrity check on decrypted field failed is seen
when an incorrect key is used. Due to incorrect set-up, different keys
are being used for encryption and decryption.
This is not an issue with Java GSS in J2SE 1.5. Please check your
Kerberos configuration and Kerberos
---BeginMessage---
Alex,
Currently Sun's implementation of Java GSS does not support RC4-HMAC.
Java GSS/Kerberos in J2SE 1.5 supports 3DES and DES enctypes.
Hence the error.
Make sure you select use DES encryption type for Kerberos account
in the Windows KDC.
Hope this helps.
Seema
Don Alex
Claude,
It appears that have configured your Windows domain to be all lower-case.
Kerberos realm names are case sensitive. By convention, all realm names are
uppercase. On Windows domains are also Kerberos realms, and realm name
is always the uppercase version of the domain name.
The LSA API
For any questions on Sun's implementation of Java GSS/Kerberos,
please communicate to us via [EMAIL PROTECTED] alias.
For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
For Java GSS/Kerberos features
48 matches
Mail list logo