Using a Kerberized application outside the Kerberos Realm

Mon, 21 Aug 2006 10:38:20 -0700 

Hello,

I am using the Windows 2003 Domaincontroller and the included KDC. I want to 
implement single-sign-on with an application that is a server programmed in 
Java. Let's call it Alice. A client software, also programmed in Java, will 
connect to Alice. Let's call this client Bob. Now Alice is the service I have 
to add to the Domaincontroller in order to acquire service tickets later. Bob 
is the client, that should acquire a service ticket for Alice from the KDC and 
pass it on to Alice. I want Alice to ensure the service ticket's authenticity 
by decrypting it with the shared secret key that only Alice and the KDC 
possess. I already succeeded in obtaining a TGT from the KDC. My problem is 
that Alice is not in the domain in which the KDC is running. To be more 
precise, the KDC and the service Alice are set up in different network 
environments and thus do not know each other.
Is it possible to create a kerberized service that is not part of the Kerberos 
realm? If yes, what do I have to do?

I thought of sharing the symmetric service key between the KDC and Alice. To do 
so, I tried to create the service Alice with ktpass, give the so created 
encryption key to Alice and let Alice decrypt the service tickets, that will be 
delivered by Bobs later.

Is this procedure possibly in theory? Does anyone know how to obtain the 
service ticket by using JAAS? I only managed to get the TGT.

This is an extract of my code so far:

System.setProperty("java.security.krb5.realm", 
((Element)tPropertiesCatalog.get("PROVIDER_REALM")).getAttributeValue("value"));
System.setProperty("java.security.krb5.kdc", 
((Element)tPropertiesCatalog.get("PROVIDER_URL")).getAttributeValue("value"));
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

// Performing Kerberos login
LoginContext tLoginContext = new LoginContext("JaasLogin");
tLoginContext.login();
final Subject tSubject = tLoginContext.getSubject();

Subject.doAs(tSubject, new PrivilegedExceptionAction()
{
  public Object run() throws Exception
  {                                     
    Principal tPrincipal = 
(Principal)tSubject.getPrincipals().iterator().next();
    KerberosTicket tTicket = (KerberosTicket) 
tSubject.getPrivateCredentials(KerberosTicket.class).iterator().next();
  }
}

How can I get a service ticket now?

Thanks for any help in advance.


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to