file:///C:/Program%20Files/Java/jdk1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
===BEGIN QUOTE===
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01 ( default is 0 )
By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.
Here is the location of the registry setting on Windows XP SP2:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01 ===END QUOTE===
The suggested registry addition works for W2K, but not the one for XP (at least not for me). Has anyone successfully tested this on XP, or is there something else that needs to be done?
--Dave
[EMAIL PROTECTED] wrote:
Date: Tue, 22 Feb 2005 10:10:15 -0800
From: Seema Malkani <[EMAIL PROTECTED]>
To: "Wells, Bruce" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Cc: Kerberos MIT <[email protected]>
Subject: Re: Acquiring credentials for a Principal in Java on XP client
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-15
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Precedence: list
Message: 1
Java Kerberos can be configured to acquire the native credentials. JAAS Krb5LoginModule will acquire native TGT on Windows via the LSA API if the option "useTicketCache=true" has been set.
For details on how to achieve Single Sign-On using Java Kerberos refer to: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/single-signon.html
In addition, you can refer to following JavaOne Security Lab. 7133 - Advanced Security Programming in the J2SE Platform, Version 1.5: Authentication, Secure Communication, and Single Sign-on
Seema
In addition, you can refer to
Wells, Bruce wrote:
Hello to all, How can I go about acquiring the credentials for the current logged on user on an XP client in Java. I need to establish a context between the Java app and a kerberized service via GSS
TIA, Bruce.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
