How does keytab work?

Question

How does keytab work?

I have some questions about using keytab for authentication, hope good people here can enlighten me.

Say I have userA that will use a service running on port 1010. First, userA will log into Active Directory for authentication.

enter image description here

After logging in, userA will try to connect to the server to use its 1010 service. In order for the server to verify that UserA is who it is, I need to use it setspnto register the SPN in Active Directory. eg,

setspn -s service1010/mydomain.com serviceaccount1

Then you need to create a ktab file in the Active directory, for example

ktab -a serviceprincal1010/server.domain.com@DOMAIN.COM -k mykeytab.keytab

and then enter mykeytab.keytabthe server.

On the server, I used JAAS with login configuration for KDC request, e.g.

ServicePrincipalLoginContext
{
  com.sun.security.auth.module.Krb5LoginModule required    
  principal=serviceprincal1010/server.domain.com@DOMAIN.COM 
  doNotPrompt=true useKeyTab=true keyTab=mykeytab.keytab storeKey=true;

};

. userA (.. UserA ?).

+4

java authentication jaas kerberos keytab

dorothy 07 . '14 12:55

2

, Kerberos, " " .

"", (TGS, , Windows) , , keytab. , , . , , , TGS , , .

" " TGS, ( 1) ( 2), TGS ( 3).

+5

William F. Jameson 07 . '14 13:02

Fred the Magic Wonder Dog · Accepted Answer · 2014-08-12T21:11:27+0000

. , kerberos. ( , ). , Kerberos , kdc. , , (keytab) , .

kerberos, - KDC, - . 1010, KDC . blob, , . ( , ).

api GSS 1010, , , API, keytab, , . - . API Java, .

Kerberos, , .

http://web.mit.edu/kerberos/dialogue.html

How does keytab work?

More articles: