Hey DJ, Thanks for the pointers, it was great advice!
I did end up Kerberizing the thick client with JAAS and GSSAPI using SPNEGO. It wasn't immediately obvious to me how helpful the JAAS Authentication Tutorial at http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html was going to be, but they have the majority of the code and config files needed listed on that page. The thick client was actually pretty easy once I wrapped my head around it. The most unfortunate drawback is that Microsoft decided to tighten security as of Windows XP SP2 and the current implementation (Java 6) of JAAS isn't able to grab all the information necessary in the Kerberos ticket cache. The workaround is to edit a registry key called AllowTgtSessionKey, which is a bummer. The thin client ended up being a bit more tricky. I started off with JBoss' Picket Link project and they document on their site that to use SPNEGO you should use their Negotiate library. I was amazed that it actually had documentation to follow for the setup and a couple of examples. A bit hasty though - I followed the procudures to a T and it didn't work. Google'ing around I found that a lot of others had suggestions on the correct way to that library, but I didn't get those working quickly so I switched gears to a library named SPNEGO, whose site is spnego.sourceforge.net. It seems like a one man show, but the guy did a great job of documenting the setup, his code is clean (it's open source), he wrote the library to do exactly what I wanted, and... it works. It looks like CAS is more extensible, but there's also also a lot more setup. If anybody's struggling through this stuff and wants more detail on what I did feel free to shout. Thanks! Scott -- View this message in context: http://shiro-user.582556.n2.nabble.com/Gathering-Windows-logon-credentials-tp5272872p5657209.html Sent from the Shiro User mailing list archive at Nabble.com.
