After migrating to Java 7, our Java client application was unable to authenticate via Kerberos on Windows. If you have the same problem, the following configuration may help you solve it. There is a key allowtgtsessionkey in Windows registry that allows client application to decrypt session key of Kerberos Ticket Granting Ticket (TGT).
REG_DWORD name: allowtgtsessionkey
Value: 1
REG_DWORD name: allowtgtsessionkey
Value: 1
Find your krb5.ini file and add the following section if it is missing
[libdefaults]
default_realm = EUROPE.EXAMPLE.COM
[realms]
// KDC configuration for realms
EUROPE.EXAMPLE.COM = {
kdc = eudc01.example.com
}
Windows Registry configuration
Depending on the version of Windows you use, this registry key should be created in the following Registry path.Windows XP
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\REG_DWORD name: allowtgtsessionkey
Value: 1
Windows 2003 Server, Vista, 7, 8, etc.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ParametersREG_DWORD name: allowtgtsessionkey
Value: 1
Default realm not found
Another problem that occurred (not sure if it is connected to Java 7) was missing default realm.Find your krb5.ini file and add the following section if it is missing
[libdefaults]
default_realm = EUROPE.EXAMPLE.COM
[realms]
// KDC configuration for realms
EUROPE.EXAMPLE.COM = {
kdc = eudc01.example.com
}
No comments:
Post a Comment