Thanks everyone for the responses. I can't use allowtgtsessionkey on Windows, because I want to achieve a cross-platform solution.
I'll look into the option, provided by Weijun Wang and create KerberosTicket/KerberosPrincipal. I hope it would do the job. 2013/6/26 Henry B. Hotz <hbh...@lavenderwine.com> > Even easier. Just set useTicketCache=true in the JAAS config. > > On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.w...@oracle.com> wrote: > > > Java (at least Oracle JDK) does not support PKINIT. > > > > Yes, you can do it outside, create a KerberosTicket and a > KerberosPrincipal, create a JAAS Subject containing them, and call > Subject.doAs() later. It should work. > > > > On Windows, if you manage to use Windows' own login and have the ticket > stored inside LSA, Java should be able to read it. There is a registry key > allowtgtsessionkey you need to take care of. Or maybe you can use any third > party kinit to save a ccache file which can also be picked up by Java. > > > > --Max > > > > On 6/26/13 7:29 AM, Henry B. Hotz wrote: > >> I'm not authoritative, but AFAIK there is no smart card support in > Java, though there is pkcs11 support. > >> > >> If I had to do it, I would do the smart card/PKINIT stuff outside Java, > and then let Java use the acquired tgt. > >> > >> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifos...@gmail.com> wrote: > >> > >>> Hi everyone, > >>> > >>> I've been playing with smart cards and faced some issues. > >>> Long story short: > >>> > >>> Prerequisites: > >>> > >>> • I set up a basic Kerberos realm via Windows Active Directory. > >>> • I managed to successfully login into service via login/password > pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS. > >>> Now I try to implement Kerberos login via smart card. Smart card > preauthentication in Kerberos is done via AS-REQ/AS-REP messages > (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the > smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions > in openjdk sources. Maybe, I missed something. > >>> > >>> Question: > >>> > >>> 1. Does Java Kerberos support smart card preauthentication out of the > box? > >>> > >>> 2. If it doesn't, can I somehow extends existing Kerberos module or > should I implement whole Kerberos from the ground up? > >>> > >>> > >>> > >>> Thanks in advance, > >>> Ostap Andrusiv > >>> > >>> > >>> web: http://andrusiv.com > >>> skype: ostap.andrusiv > >>> ::p!F > >> > > -- Best regards, Ostap Andrusiv web: http://andrusiv.com skype: ostap.andrusiv ::p!F
