0

I'm aware I can call out to Active Directory and do queries provided I have a cleartext username and password. (I don't want to do that)

In VB, I can set authorisation levels by NT group - and the user doesn't have to enter their password nor, store it in a text file. (My understanding is that this has access to the Windows AD ticket).

I also know I can shell out to the command line and parse the output - to get the users groups - this is problematic.

How can I replicate getting the executing user's NT groups without a password in Java?

(It is beginning to sound like I'll have to call the Win32 API with JNA to get the kerberos ticket - I'm hoping there is a simpler way.)

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
hawkeye
  • 34,745
  • 30
  • 150
  • 304

1 Answers1

0

You should split up your question in two because you're mixing authentication with authorization. Kerberos works very pleasently with Java on Windows with some caveats due to MS. Having said that use the Kerberos ticket with the provided principal to authenticate against AD and retrieve the user's memberOf values to see in which groups the user is in.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Could you give a hint about the caveats? – hawkeye Jul 17 '11 at 04:27
  • First part done: http://stackoverflow.com/questions/6721939/java-process-for-authentication-on-windows-against-ad-kerberos – hawkeye Jul 17 '11 at 04:35
  • 1
    The caveats are that 1. you have to tamper with the registry because Windows is blocking access to the LSA to obtain the session ticket (TGT) to request service tickets. Google for. 2. you have have to maintain a krb5.conf just like on unix. – Michael-O Jul 17 '11 at 14:32
  • Awesome - any hints on what the registry change is - or do I need to ask another question? – hawkeye Jul 18 '11 at 06:11
  • Please try to be more active in your investigation, took me 10 seconds to find the answer to the first question here in stackoverflow: http://stackoverflow.com/questions/3239495/windows-propagation-of-credentials-to-java-desktop-application – Michael-O Jul 18 '11 at 07:24