Kerberos
 » 
Kerberos - Dev

Do I need keytab for Authentication?

View: New views
1 Messages — Rating Filter:   Alert me  

Do I need keytab for Authentication?

by kaffekamelen :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi all,

I have some problems by getting through to LDAP using jaas/kerberos/GSSAPI. Kerberos login is successful, but when I try to create an InitialDirContext, an "AuthenticationNotSupportedException: GSSAPI" is thrown. Funny thing is that it only occurs when running a websphere+Microsoft AD setup (with ibm's Krb5LoginModule) - when I use jboss with sun's Krb5LoginModule everything works!

So, there must be an issue regarding the difference in setup. Do any of you know about known IBM problems in supporting kerberos and GSSAPI?

I am aware that ibm's Krb5LoginModule may be more restrictive than sun's. If so, my implementation may be insufficient. Actually, I am running without keytab file, and I'm wondering if that's a problem.

My implementation consist of a single java ear file deployed on websphere app server:

1. The only Websphere configuration is that I have added a "MyLoginModule" entry to wsjaas.properties (MyLoginModule entry points out com.ibm.security.auth.module.Krb5LoginModule). Don't really know why it should be wsjaas.properties - I don't have any webservice involved... Is there a point here?
2. My application accepts username and password i a user dialog.
3. My application sets System properties: java.security.krb5.conf=<myInstDir>/admin/var/jaas/krb5.conf and java.security.auth.login.config=<myInstDir>/admin/var/jaas/step-jaas.conf
4. My application creates a LoginContext 8new LoginContext("MyLoginModule", MyCallbackhandler) - The CallbackHandler provides username and password to the LoginModule on request. This is why I don't think I need a keytab file copied to the websphere server...
5. Start a thread using Subject.doAs(loginContext.getSubject(), myWorkerThread)
6. The worker thread sets environment LDAP_INITIAL_CONTEXT_FACTORY=com.sun.jndi.ldap.LdapCtxFactory, LDAP_SERVER_URL=ldap://my.ldap.host:389, AUTH_MECHANISMS=GSSAPI.
7. The worker thread creates new InitialDirContext(env) - and this is where the "AuthenticationNotSupportedException: GSSAPI" is thrown.

Again - there is no AuthenticationNotSupportedException when using jboss+sun's Krb5LoginModule, so it seems that I CAN do without a keytab file. Anyway, the problem here is that websphere is my main target appserver!!

I hope some of you can give me some advice, because I'm totally stuck in this case.
Free embeddable forum powered by Nabble Forum Help