Java Kerberos票证续订TGT [英] Java Kerberos ticket renew TGT

问题描述

我正在POC之一中使用Krb5LoginModule.我提供了useDefaultCache = true和renewTGT = true.

I am using Krb5LoginModule in one of the POC. I have provided useDefaultCache=true and renewTGT=true.

尽管我提到过renewTGT = true，但票证过期时代码会引发异常.我已经在Windows注册表中将allowtgtsessionkey值设置为1(我正在运行XP SP2). KDC(ActiveDirectory)设置是默认设置.票证寿命= 10小时，续订请求阈值= 7天.

The code throws an exception when the ticket is expired although I have mentioned renewTGT=true. I have set up allowtgtsessionkey value to 1 in windows registry (I am running XP SP2). The KDC (ActiveDirectory) settings are default. Ticket lifetime = 10 hours and renewal request threshold = 7 days.

import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import com.sun.security.auth.module.Krb5LoginModule;

public class Temp3 {
    public static void main(String[] args) throws Exception {
        System.setProperty("sun.security.krb5.debug", "true");

        Subject subject = new Subject();

        Krb5LoginModule krb5 = new Krb5LoginModule();

        Map <String, String> map = new HashMap <String, String>();
        map.put("useTicketCache", "true");
        map.put("doNotPrompt", "true");
        map.put("renewTGT", "true");
        map.put("debug", "true");

        krb5.initialize(subject, null, null, map);
        krb5.login();
        krb5.commit();
        System.out.println(subject);
    }
}

当票证未到期时(即我在运行上述代码的10小时内运行kinit的时间)，该代码可以正常工作.

The code works fine when the ticket is not expired i.e the time I ran kinit within 10 hours of running the code above.

我之所以写此POC，是因为我必须使用SQL Server驱动程序(版本4.0)运行基于JDBC的应用程序.我不希望长时间运行的服务在数据库重新连接尝试期间失败，这可能是由于诸如网络故障导致管道中断之类的因素而发生的.

I wrote this POC because I have to run JDBC based applications using SQL Server driver (version 4.0). I don't want long running services to fail during the database reconnect attempts which might occur due to factors such as network glitch resulting in broken pipe.

推荐答案

您走错了路.您应该首先使用LoginContext来获取凭据，并且不要直接与Kerberos 5交互.其次，非人为访问需要一个密钥表.这等效于TGT.导出服务器的Keytab并修改Krb5LoginModule配置. 此教程将为您提供帮助

You are going the wrong way. Fist of all you should use LoginContext to obtain credentials and not interact with Kerberos 5 directly. Second, non-human access needs a keytab. This is equivalent to a TGT. Export a Keytab for your server and modify the Krb5LoginModule configration. This tutorial will help you.

这篇关于Java Kerberos票证续订TGT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！