1

I am using Java GSS-API with Kerberos for secure Authentication. I implemented sample Server and sample Client programs, and Client is able to successfully authenticate and get the service from Server. For these sample programs I passed the KDC address through Java System Property (java.security.krb5.kdc). Now the problem is that I want to connect to two different KDC Servers from single Client program to access multiple services. Through system property we can pass only one KDC Server address. How can I connect to multiple KDC Servers from a single Client program?

Prashanth Reddy
  • 13
  • 3

1 Answers1

0

You can specify multiple domain entries and corresponding KDCs using KRB5 config file.

[libdefaults]
default_realm = A1.LOCAL
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
A1.LOCAL  = {
   kdc = ADA1.A1.LOCAL
}

B1.LOCAL = {
   kdc = ADB1.B1.LOCAL
}

[domain_realm] 
a1.local=A1.LOCAL
    .a1.local=A1.LOCAL
b1.local=B1.LOCAL
.b1.local=B1.LOCAL

Instead of setting each property separately, provide this file as a configuration to your program. This can be done using - System.setProperty("java.security.krb5.conf", krb5ConfigFilePath);

Bhushan Karmarkar
  • 625
  • 7
  • 22
  • Thank you, for the answer. Currently I am using keytab based login. It requires principal name to be specified as a part of configuration. How can I specify login information for multiple user principles?com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab=user.keytab principal="user1@LOCALHOST" storeKey=true; }; com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab=service.keytab principal="service1@LOCALHOST" storeKey=true; }; – Prashanth Reddy Sep 10 '20 at 13:24
  • Keytab and the principal values to be specified of the service account and not the end users. Therefore you don't need individual keytabs and SPN for individual users. Usually Keytab file path and the SPN should be configurable externally. Also, SPN value is very much aligned with the server FQDN where the application is deployed. A single keytab can contain multiple SPN entries (not recommended by Microsoft, but it can be done). – Bhushan Karmarkar Sep 11 '20 at 04:45
  • If you are considering multi-domain kerberized deployments, then there needs a trust between all the domains, which is to be done by your IT Admin. Generally cross domain kerberos is not recommended. People usually go for SAML for that. – Bhushan Karmarkar Sep 11 '20 at 04:46