The problem is, my server application cannot reach the KDC. The KDC's host isn't resolved for the server. So if I call
lc.login() I get an UnknownHostException because the KDC's hostname is unknown. Thanks you for your help. -----Ursprüngliche Nachricht----- Von: Olfmatic [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 7. September 2006 14:42 An: [email protected] Betreff: Accepting secure context on Server without KDC-Login Hello, Please help me, I still don't get it: I want to accept a secure context on my server. As far as I learned, the server does not have to contact the KDC to do so, because the shared secret is stored in a keytab file created on the KDC and then stored at the server. But I made a different experience. This is my code: Oid tKrb5Oid = new Oid("1.2.840.113554.1.2.2"); GSSManager tGSSManager = GSSManager.getInstance(); String tPrincName = "servicename/[EMAIL PROTECTED]"; GSSName tServerName = tGSSManager.createName(tPrincName, GSSName.NT_USER_NAME); GSSCredential tServerCredential = tGSSManager.createCredential(tServerName, GSSCredential.INDEFINITE_LIFETIME, new Krb5MechFactory().getMechanismOid(), GSSCredential.ACCEPT_ONLY); GSSContext tSecureContext = tGSSManager.createContext(tServerName, tKrb5Oid, tServerCredential, GSSContext.DEFAULT_LIFETIME); byte [] tInToken = aToken; byte [] tOutToken = tSecureContext.acceptSecContext(tInToken, 0, tInToken.length); If I execute this code in a PrivilegedAction after loggin in to the KDC with the Krb5LoginModule, everything is fine. Now what I want is the server to accept the secure context WITHOUT trying to contact the KDC. Do I have to login with the Krb5LoginModule even though? Or can the above code also be executed without prior KDC-Login? But then how do I tell the server application where to find the keytab file? As far as I know, the keytab file is configured in the configuration of LoginModules: JaasLogin { //Kerberos single-sign-on login module com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true keyTab=C:/krb5.keytab ; }; But if i never call LoginContext tLoginContext = new LoginContext("JaasLogin"); tLoginContext.login(); final Subject tSubject = tLoginContext.getSubject(); then how can the application know that it shall use a keytab and where to find it? IF I login with the Krb5LoginModule, the server looks for the KDC which is not what I want. IF I do not login with the Krb5LoginModule, I get the error message "Attempt to obtain new ACCEPT credentials failed", which seems clear to me because the server application doesn't know anything about the keytab file. What do I have to do? Login or no Login? Thanks for any help. Florian ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
