I have a java client which should receive a TGT ticket from LSA for client server authentication. So the krbc_{username} file should not be used and is deleted. If i set the krbc_{username} with kinit.exe it works like expected but like said before not goal of my. But however the TGT in the LSA Cache can't be found. This is what i see in the console.
Found no TGT's in LSA
A code fragement.
try {
LoginContext lc = new LoginContext("Client", new LibsCallbackHandler(userTicket));
lc.login();
Subject s = lc.getSubject();
logger.info(s);
In the jaas.conf useTicketCache is set true. The Userticket is set if i log in with a dialog which i am using. If I use my username and password i receive a new ticket which is fine but not enough for single sign on. I also set 'allowtgtsessionkey' to 1 in the registry.
答案 0 :(得分:0)
此question应包含问题的解决方案,让我们引用答案:
删除当前用户名下的krb5cc *文件 C:\用户
您还需要设置一个注册表项,引用:
还将以下注册表值设置为1:
HKEY_LOCAL_MACHINE \系统\ CurrentControlSet \控制\ LSA \ Kerberos的\参数
值名称:AllowTGTSessionKey
值类型:REG_DWORD
价值:1
另一个问题可能与ticket keyType有关,您的应用程序将忽略具有不受支持的keyType的票证。 例如,我在LSA中输入了18张票,没有安装Java JCE扩展(来自Oracle),并没有与Jaas合作。 为了支持更广泛的keyType,您需要安装Oracle Java JCE扩展(添加对AES> = 256 ..的支持)。 OpenJDK Java发行版支持所有keyTypes / AES,无需扩展。
您还应该以完整的kerberos调试模式执行应用程序,它将提供有用的日志消息:
java -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -jar appname.jar