Callback hanlder when using cached credentials
I am having trouble getting SSO with Kerberos/AD working. I can authenticate against AD if I have captured username and password, but I cannot authenticate using credentials arising from a Windows login.
I am on W2000, SP4. I am using JDK 1.5_10. I have set the Windows registry value as recommended.
My specific question relates to the callback handler.
As I understand it, the purpose of the callback handler is to interact with the user: the name and password handlers allow authentication data to be captured, and the text handler allows output to the user.
If I am seeking to authenticate using existing credentials then I assume that the user will not have to enter username or password. The callback handler is therefore, to my mind, a logical no-op.
I have coded my callback handler to do nothing at all, either on construction or in the handle method.
I am gettting the following exception:
Using builtindefault etypesfor default_tkt_enctypes
default etypesfor default_tkt_enctypes: 3 1 23 16 17.
javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!
What should the callback handler do in this case? Or is this a manifestation of another problem?
My krb5.conf is as follows --
Authenticate
{
com.sun.security.auth.module.Krb5LoginModule
required
useTicketCache=true
doNotPrompt=false
debug=true;
}
Thanks for any help -- I've been tussling with this for a while.
Alec
Hi -- thanks for the reply.
Before I posted my original question I tried exactly what you proposed (I set do not prompt to true, and I used the LoginContext ctor that has no callback handler argument. And I have debug set on the command line).
This was/is the result
javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
Getting to that point is what led me to try a callback handler that exists, but does nothing.
I'm stumped. Incidentally, I can find no examples of code that actually omit the callback handler, despite exhaustive searches. Has anyone got a code collection that actually does this correctly? The Sun examples show the config but the code is the same as for examples that "garner" username and password.
I'm sure I'm missing something, so any more help would be much appreciated.
Alec.
Hi,
OK, I have it working.
I was picking up the wrong config -- your suspicion that I had doNotPrompt=false was correct.
It turns out that you can use either LoginContext constructor (the one which demands a callback handler, and the one that doesn't).
It's the doNotPrompt that determines a) if the callback handler is required, and b) if a failure to find cached credentials results in an attempt to capture username and password (as opposed to an authentication failure).
Therefore: a program that wishes to be capable both of using cached credentials resulting from the OS login against AD, and of capturing username/password, should specify a functional callback handler that can capture the auth data if needed, and should use config to control whether to attempt SSO.
I believe that this is what the examples and docs were trying to tell me, on rereading various pages knocking about the place.
Thanks for your help -- it put me on the right diagnostic track!
Alec.
