How to get valid Kerberos ticket without using TicketCache and Password

Hello,

I am implementing Single Sign-on feature using Kerberos in Java.

Ours is a web based application. When user opens application using

browser, it sends windows username to Web server, the Web server

should try to get valid KerberosTicket for this user and if the ticket is

valid the browser opens the page without asking username/password.

I tried this small program to get valid KerberosTicket.

LoginContext lc =null;

KerberosTicket kerberosTicket =null;

lc =new LoginContext("SampleClient);

lc.login();

System.out.println("Subject:" + lc.getSubject());

Conf file

=======

SampleClient{

com.sun.security.auth.module.Krb5LoginModule required

useTicketCache=true doNotPrompt=true;

};

The above code is giving me the valid ticket from local machine.

SinceuseTicketCache=true is specified, the result is correct.

But it should giveKerberosTicket from Kerberos Server and not from local system.

What is the configuration change i need to make to getKerberosTicket

from Kerberos server without specifying Password.

I tried another program given below.

This also gives KerberosTicket from local cache.

System.setProperty("sun.security.krb5.debug","true");

System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

System.setProperty("java.security.auth.login.config","login.conf");

GSSManager manager = GSSManager.getInstance();

Oid krb5Mechanism =new Oid("1.2.840.113554.1.2.2");

Oid krb5PrincipalNameType =new Oid("1.2.840.113554.1.2.2.1");

// Identify who the client wishes to be

GSSName userName = manager.createName("m1001115", GSSName.NT_USER_NAME);

GSSName serverName = manager.createName("m1001115/SERVER.COM",krb5PrincipalNameType);

// Acquire credentials for the user

GSSCredential userCreds = manager.createCredential(userName,GSSCredential.DEFAULT_LIFETIME,

krb5Mechanism,GSSCredential.INITIATE_ONLY);

login.conf

===========

com.sun.security.jgss.initiate{

com.sun.security.auth.module.Krb5LoginModule required

useTicketCache=true doNotPrompt=false;

};

What is the actual procedure to implement Single Sign-on feature

using Kerberos in Java without using local cache and without

specifying password?

Thanks

Prakash

[3246 byte] By [Prakash_Selvaa] at [2008-1-4]