Revalidating a Kerberos ticket
Hi,
How can I validate a kerberos ticket that was generated on a non java platform and extract the name of the prinicipal from it ?
In essence, this is a cross platform SSO.
Here is the background.
A C# client is sending the ASN encoding of a Kerberos ticket to
a java server via a web service call. The java server needs to
revalidate the Kerberos ticket, extract the principal's name
and then provide some service.
Looking through the JAAS and JGSS , it does'nt seem like I can do much with with the kerberos ticket that is being passed in to
the web service. It seems like the API's do not provide a
way to use credentials that were generated on a non-java platform
Any pointers would be much appreciated.
Thank you,
Raman
sherazade, it was my understanding that the GSSAPI token was opaque. According to the spec it does contain a plain kerberos ticket, but it also contains some GSSAPI metadata (like flags indicating if mutual authn was requested, or delegation content). Can acceptSecurityContext() accept a plain, undecorated, kerberos ticket?
Of course you're right and acceptSecurityContext(...) won't understand a pure Kerberos ticket.
But as I understood SecurityTyro he creates a GSSAPI token in a C# client and wants to verify this token - which contains the Kerberos ticket - in a JAVA based web service. And acceptSecurityContext(...) can be used to do so.
I don't thing that it is possible to verify a pure Kerberos ticket, since the verification needs additional information. E.g. the authenticator that is included in a normal KRB_AP_REQ message.
But one should also be aware that some Kerberos features - like mutual authentication - involve the exchange of additional messages from the server to the client. And the described approach does not account for this.
Cheers
