Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to validate a Kerberos ticket against a server in Java?

we are using JAAS to enable Single Sign On in a Java application using the Windows Kerberos ticket cache. Our jaas.conf config file looks like this:

LoginJaas {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  doNotPrompt=true
  debug=true;
};

With this, we can create a Jaas LoginContext and successfully get the user's Kerberos ticket. We send this ticket to out server application using JMI. What we don't manage to do though is to verify on the server that the Kerberos ticket was in fact created by our Active Directory.

At the moment, we do a very insecure validation of the ticket by simply checking if the Server Principal (KerberosTicket.getServer()) name has our domain name in the realm part. But of course, anyone could set up an own Kerberos server with the same realm name and use that ticket to start the application.

One idea I have found was to authenticate against the Active Directory LDAP using the Kerberos ticket. Unfortunately, we use Windows 7 and re-using the Kerberos ticket to authenticate against the LDAP only works when setting a Registry entry (see http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html, search for allowtgtsessionkey). This is unacceptable for our users.

Is there any way to validate the ticket against our Active Directory server? I suspect there is a way to check if the KerberosTicket.getServer() ticket equals the ticket of our server, but I have no idea how to do that. UPDATE: KerberosTicket().getServer() only returns a KerberosPrincipal that contains nothing but the server ticket name and realm, so it is not suitable for validation.

Thanks for your help, memminger

like image 400
user269667 Avatar asked Feb 09 '10 17:02

user269667


People also ask

How do I verify my Kerberos ticket?

To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session.

How do I authenticate in Kerberos Java?

Validate a Kerberos principal name and password by using the kinit command. It is recommended that you use the kinit command that comes with the Java SE Development Kit (JDK) 6. Note: This command usage might not work on all versions of KDCs. Note: Both the Kerberos principal name and the password are case-sensitive.

How do I know if Kerberos authentication is working?

The easiest way to determine if Kerberos authentication is being used is by logging into a test workstation and navigating to the web site in question. If the user isn't prompted for credentials and the site is rendered correctly, you can assume Integrated Windows authentication is working.

Which ticket is used by Kerberos to authenticate a user for a service?

Users, machines, and services that use Kerberos depend on the KDC alone, which works as a single process that provides two functions: authentication and ticket-granting. KDC "tickets" offer authentication to all parties, allowing nodes to verify their identity securely.


1 Answers

As you mentioned, the proper way to solve this is by kerberizing your service, which is the whole point of the Kerberos protocol (authenticating clients against servers). Ticket reuse doesn't work exactly because it'd be a security problem if it did. A Kerberos service does not need to "log into Active Directory", it just needs to have a shared key with AD.

BTW, to get SSO using JAAS requires having that allowtgtsessionkey set, there's no way around that on Windows.

like image 95
Max Caceres Avatar answered Oct 13 '22 18:10

Max Caceres