Using a Kerberized application outside the Kerberos Realm - Kerberos

This is a discussion on Using a Kerberized application outside the Kerberos Realm - Kerberos ; Hello, I am using the Windows 2003 Domaincontroller and the included KDC. I want to implement single-sign-on with an application that is a server programmed in Java. Let's call it Alice. A client software, also programmed in Java, will connect ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Using a Kerberized application outside the Kerberos Realm

  1. Using a Kerberized application outside the Kerberos Realm

    Hello,

    I am using the Windows 2003 Domaincontroller and the included KDC. I want to implement single-sign-on with an application that is a server programmed in Java. Let's call it Alice. A client software, also programmed in Java, will connect to Alice. Let's call this client Bob. Now Alice is the service I have to add to the Domaincontroller in order to acquire service tickets later. Bob is the client, that should acquire a service ticket for Alice from the KDC and pass it on to Alice. I want Alice to ensure the service ticket's authenticity by decrypting it with the shared secret key that only Alice and the KDC possess. I already succeeded in obtaining a TGT from the KDC. My problem is that Alice is not in the domain in which the KDC is running. To be more precise, the KDC and the service Alice are set up in different network environments and thus do not know each other.
    Is it possible to create a kerberized service that is not part of the Kerberos realm? If yes, what do I have to do?

    I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.

    Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

    This is an extract of my code so far:

    System.setProperty("java.security.krb5.realm", ((Element)tPropertiesCatalog.get("PROVIDER_REALM")).getAttributeValue("value"));
    System.setProperty("java.security.krb5.kdc", ((Element)tPropertiesCatalog.get("PROVIDER_URL")).getAttributeValue("value"));
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    // Performing Kerberos login
    LoginContext tLoginContext = new LoginContext("JaasLogin");
    tLoginContext.login();
    final Subject tSubject = tLoginContext.getSubject();

    Subject.doAs(tSubject, new PrivilegedExceptionAction()
    {
    public Object run() throws Exception
    {
    Principal tPrincipal = (Principal)tSubject.getPrincipals().iterator().nex t();
    KerberosTicket tTicket = (KerberosTicket) tSubject.getPrivateCredentials(KerberosTicket.clas s).iterator().next();
    }
    }

    How can I get a service ticket now?

    Thanks for any help in advance.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  2. Re: Using a Kerberized application outside the Kerberos Realm

    On Mon, 21 Aug 2006 18:40:28 +0200
    "Florian Frankenberger" wrote:

    > My problem is that Alice is not in the domain in which the KDC is running. To be more precise, the KDC and the service Alice are set up in different network environments and thus do not know each other.
    > Is it possible to create a kerberized service that is not part of the Kerberos realm? If yes, what do I have to do?

    Alice and Bob have to be in the same realm or in separate realms that
    have a trust established between them. Otherwise the is no basis for
    establishing trust between Alice and Bob. Kerberos is a "thrid party
    authentication system" so there needs to be someone both principals trust.

    > I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.
    >
    > Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

    If Bob requests a ticket for ALICESVC/apps22.ai-ag.de@AI-AG.DE then
    even if Bob is bob@AI-AG.US he should have no problem looking up the
    KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
    relationship would be required between AI-AG.DE and AI-AG.US.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  3. AW: Using a Kerberized application outside the Kerberos Realm

    Thank you, Mike.

    In my case, Alice isn't running in a domain at all. That's why I have to implement the check for authenticity on Alice's side in my own way. So what about the idea of having the service ticket encrypted with the symmetric key that only the KDC and Alice know? Doesn't this mean a kind of secure proof of authentcity to Alice if the ticket passed by Bob can be decrypted with the shared secret key?
    Or is it simply impossible to get a service ticket for a service that doesn't exist in this or any other domain?


    -----Ursprungliche Nachricht-----
    Von: Michael B Allen [mailto:mba2000@ioplex.com]
    Gesendet: Montag, 21. August 2006 20:49
    An: Florian Frankenberger
    Cc: kerberos@mit.edu
    Betreff: Re: Using a Kerberized application outside the Kerberos Realm


    On Mon, 21 Aug 2006 18:40:28 +0200
    "Florian Frankenberger" wrote:

    > My problem is that Alice is not in the domain in which the KDC is running. To be more precise, the KDC and the service Alice are set up in different network environments and thus do not know each other.
    > Is it possible to create a kerberized service that is not part of the Kerberos realm? If yes, what do I have to do?

    Alice and Bob have to be in the same realm or in separate realms that
    have a trust established between them. Otherwise the is no basis for
    establishing trust between Alice and Bob. Kerberos is a "thrid party
    authentication system" so there needs to be someone both principals trust.

    > I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.
    >
    > Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

    If Bob requests a ticket for ALICESVC/apps22.ai-ag.de@AI-AG.DE then
    even if Bob is bob@AI-AG.US he should have no problem looking up the
    KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
    relationship would be required between AI-AG.DE and AI-AG.US.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  4. Re: AW: Using a Kerberized application outside the Kerberos Realm

    If Alice can share a key with the KDC then Alice can be issued a service
    principal name and act as part of the realm.

    Jeffrey Altman


    Florian Frankenberger wrote:
    > Thank you, Mike.
    >
    > In my case, Alice isn't running in a domain at all. That's why I have to implement the check for authenticity on Alice's side in my own way. So what about the idea of having the service ticket encrypted with the symmetric key that only the KDC and Alice know? Doesn't this mean a kind of secure proof of authentcity to Alice if the ticket passed by Bob can be decrypted with the shared secret key?
    > Or is it simply impossible to get a service ticket for a service that doesn't exist in this or any other domain?
    >
    >
    > -----Ursprungliche Nachricht-----
    > Von: Michael B Allen [mailto:mba2000@ioplex.com]
    > Gesendet: Montag, 21. August 2006 20:49
    > An: Florian Frankenberger
    > Cc: kerberos@mit.edu
    > Betreff: Re: Using a Kerberized application outside the Kerberos Realm
    >
    >
    > On Mon, 21 Aug 2006 18:40:28 +0200
    > "Florian Frankenberger" wrote:
    >
    >> My problem is that Alice is not in the domain in which the KDC is running. To be more precise, the KDC and the service Alice are set up in different network environments and thus do not know each other.
    >> Is it possible to create a kerberized service that is not part of the Kerberos realm? If yes, what do I have to do?
    >
    > Alice and Bob have to be in the same realm or in separate realms that
    > have a trust established between them. Otherwise the is no basis for
    > establishing trust between Alice and Bob. Kerberos is a "thrid party
    > authentication system" so there needs to be someone both principals trust.
    >
    >> I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.
    >>
    >> Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.
    >
    > If Bob requests a ticket for ALICESVC/apps22.ai-ag.de@AI-AG.DE then
    > even if Bob is bob@AI-AG.US he should have no problem looking up the
    > KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
    > relationship would be required between AI-AG.DE and AI-AG.US.
    >
    > Mike
    >
+ Reply to Thread
« Windows GSSAPI ssh connection via cross-realm authentication problems | Re: gss-client error »