Configure kerberos without krb5.conf

StackOverflow https://stackoverflow.com/questions/13931824

Question

I'm using kerberos authentication to login to ActiveDirectory. I'm doing it with GSSAPI.

Currently, I'm using krb5.conf file, that describes the realms, encryption algs and more, and the authentication works fine.

I would like avoid using this file. Can I programmatically configure kerberos, without using this file?

Thanks.

Was it helpful?

Solution

You could try just configuring two system properties:

java.security.krb5.kdc
java.security.krb5.realm

Note that you can't programmatically configure anything beyond this if you are using JDK's native support for Kerberos.

If you are coding for Windows, I would warmly recommend using WAFFLE to achieve seamless Single Sign-On. It doesn't have a GSS-API adapter, though. I wrote my own, but only because the rest of the system already relied on it. You could just as easily skip GSS-API and program directly against WAFFLE.

OTHER TIPS

If you only want to avoid a system-wide krb5.conf, you can create it in your program in any directory with any name (say, in your home directory) and use it by setting the Java system property java.security.krb5.conf to its full path. I do believe this has to be done before you call any Kerberos related codes.

[From the MIT official Documents: https://web.mit.edu/kerberos/krb5-latest/doc/admin/index.html]

It seems we may not have the official methods to configure the Kerberos without the krb5.conf, even ignoring some parts of keytabs(They are defined to be auto fetched at TGS status, but sometimes things are getting wired) will lead to fatal errors.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top