RE: Kerberos questions!

Ram Marti Wed, 12 Sep 2001 15:51:56 -0700
Hi,

> From: "Paul B. Hill" <[EMAIL PROTECTED]>
> To: "Ratko Soukup" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: RE: Kerberos questions!
> Date: Wed, 29 Aug 2001 12:04:31 -0400
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
> 
> 
> 
> - Are there any books about it?(about kerberos in W2k, not about kerberos
> generally)
> 
> "Programming Windows Security" by Keith Brown, chapter 7 is on Network
> Authentication. This chapter (pages 255-308) covers NTLM, Kerberos v5,
> Microsoft's SSPI, and SPENGO. Much more detailed information can be found on
> MSDN but this books provides a pretty good, broad, summary of many topics.
> 
> - How to implement KDC(TGS) in W2k?
> 
> By definition, a Win2k Domain Controller is a KDC.
> 
> - How does KDC use Active Directory as a database?
> 
> A Win2k Domain Controller is both a KDC and an Active Directory server. AD
> is the administrative interface to the KDC. E.g. all account creation and
> modifications are made to AD, not through a separate protocol to the KDC.
> 
> - How to implement kerberos client(written in Java) in W2k?
> 
> In general, you should not program to a Kerberos API, instead you should
> write to the GSSAPI. Microsoft's Windows specific equivalent is SSPI. Others
> might recommend instead writing to SASL and then letting SASL negotiate to
> GSSAPI. If you search on Google or other search engines for Java and GSSAPI
> together you should find sufficient resources.
> 
> One problem is that you Java client will not likely use Kerberos for single
> sign-on. A Java applet is not going to have access to the user's tickets
> that were obtained when logging on to Win2k. You could probably modify CMU's
> ms2mit.exe utility to copy the tgt from the native Microsoft cache to the
> ticket cache used by a Java Kerberos/GSSAPI implementation and procedd from
> there.
> 

You can configure it so that a Java application can use an exisitng ticket cache 
instead of prompting you for the Kerberos password.  This works with on Windows 
2K  (using LSA) as well as on Solaris (SEAM) and MIT implementations.

Please refer to 
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/index.html and 
http://java.sun.com/j2se/1.4/docs/guide/security/jaas/spec/com/sun/security/auth
/module/Krb5LoginModule.html 


Thanks
        = Ram Marti
>
RE: Kerberos questions!

Reply via email to
