Now Kerberos and Active Directory are huge topics so I'm only going to focus on one thing that tripped me up, namely, where is the krb5.conf file for a Java application and what in the world can you use it for. Well it turns out the krb5.conf is a very useful file if you need to tweak things. Here is how you tell Java where your krb5.conf file is:
-Djava.security.krb5.conf=/path/to/your/krb5.conf
Now you need to make sure that you aren't setting either of these parameters or your krb5.conf file will be ignored:
-Djava.security.krb5.realm-Djava.security.krb5.kdc So inside your krb5.conf file, you can set your realm & kdc (key distribution center), your default realm and the default encryption types. Different versions of Windows Domain Controllers differ in the encryption types they support so you may need to tweak the following lines (they may have different types in your file, depending on Java version):
default_tkt_enctypes = aes128-cts des3-cbc-sha1 rc4-hmac
des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 rc4-hmac
des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-md5
des-cbc-crcJava6 security tech note - new features
Java security tech note - troubleshooting
Wikipedia - Kerberos
Forum posting for encryption type difference between Windows Server 2003 and 2008
No comments:
Post a Comment