|
||||||
| Home | Products | Support | ||
|
Client side SPNEGO tokens generated from a Java applicationThe following example output shows both client side and server side debug output. Client side fetches the windows TGT credentials and uses this to get a service ticket issued from the ticket granting service. Then client side generates the AP-REQ message and finally encodes this into the SPNEGO token.The SPNEGO token is the sent to server side Server side then decodes the SPNEGO token and grabs the inner context token. Then the token is validates using JGSS methods Note that this sample Java application uses the exact same TGT as the Internet Explorer running SPNEGO. This means that server side handles both clients. This also means that the user will have true SSO (single sign-on) between Java applications and Internet Explorer sessions. See the article Client side single sign-on using SPNEGO with Java for more details on how to generate client side SPNEGO tokens. See the presentation SPNEGO authentication using JGSS for a high level description of the SPNEGO library (server side) functionality. See the SPNEGO FAQ for frequently asked questions on the SPNEGO topic SPNEGO client outputaquireDefaultCreds*** >>>KinitOptions cache name is C:\Documents and Settings\test.TEST\krb5cc_test Credentials: client=test server=krbtgt/TEST.NET authTime=20040425203636Z startTime=20040425203636Z endTime=20040426063636Z renewTill=20040502203636Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 3 aquireTGT*** >>>KinitOptions cache name is C:\Documents and Settings\test.TEST\krb5cc_test >>> Obtained TGT from LSA: Credentials: client=test server=krbtgt/TEST.NET authTime=20040425203636Z startTime=20040425203636Z endTime=20040426063636Z renewTill=20040502203636Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 3 Credentials: client=test server=krbtgt/TEST.NET authTime=20040425203636Z startTime=20040425203636Z endTime=20040426063636Z renewTill=20040502203636Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 3 clientPrincipal*** test@TEST.NET aquireServiceCreds*** >>> Credentials acquireServiceCreds: same realm >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> KrbKdcReq send: kdc=192.168.202.2 UDP:88, timeout=60000, number of retries =3, #bytes=1245 >>> KDCCommunication: kdc=192.168.202.2 UDP:88, timeout=60000,Attempt =1, #bytes=1245 >>> KrbKdcReq send: #bytes read=1189 >>> KrbKdcReq send: #bytes read=1189 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType Credentials: client=test@TEST.NET server=HTTP/spnego.test.net@TEST.NET authTime=20040425223636Z startTime=20040425225410Z endTime=20040426083636Z renewTill=null flags: PRE-AUTHENT EType (int): 1 ****** SPNEGO authentication $Revision: 1.1 $ (c) 2004 Bo Friis This is a demonstration license and is not for production use Contact IT Practice A/S at http://www.it-practice.dk for further details Author: Jens Bo Friis, email: jbf_AT_it-practice.dk ****** >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: f591d6e0 >>>crc32: 11110101100100011101011011100000 KrbApReq*** boIETjCCBEqgAwIBBaEDAgEOogcDBQAgAAAAo4IDimGCA... SPNEGO server outputDebug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is /j2sdk1.4.2/jre/lib/security/spnegoall.keytab refreshKrb5Config is false principal is HTTP/spnego.test.net@TEST.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false >>> KeyTab: load() entry length: 56 >>> KeyTabInputStream, readName(): TEST.NET >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): spnego.test.net >>> KeyTab: load() entry length: 57 >>> KeyTabInputStream, readName(): TEST.NET >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): spnego1.test.net principal's key obtained from the keytab principal is HTTP/spnego.test.net@TEST.NET >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbAsReq etypes are: 1 >>> KrbKdcReq send: kdc=192.168.202.2 UDP:88, timeout=60000, number of retries =3, #bytes=229 >>> KDCCommunication: kdc=192.168.202.2 UDP:88, timeout=60000,Attempt =1, #bytes=229 >>> KrbKdcReq send: #bytes read=1259 >>> KrbKdcReq send: #bytes read=1259 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 3bc48194 >>>crc32: 111011110001001000000110010100 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/spnego.test.net Added server's keyKerberos Principal HTTP/spnego.test.net@TEST.NETKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)= 0000: BC 57 0E 37 2C A8 85 C8 [Krb5LoginModule] added Krb5Principal HTTP/spnego.test.net@TEST.NET to Subject Commit Succeeded Found key for HTTP/spnego.test.net@TEST.NET Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is /j2sdk1.4.2/jre/lib/security/spnegoall.keytab refreshKrb5Config is false principal is HTTP/spnego.test.net@TEST.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false >>> KeyTab: load() entry length: 56 >>> KeyTabInputStream, readName(): TEST.NET >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): spnego.test.net >>> KeyTab: load() entry length: 57 >>> KeyTabInputStream, readName(): TEST.NET >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): spnego1.test.net principal's key obtained from the keytab principal is HTTP/spnego.test.net@TEST.NET >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbAsReq etypes are: 1 >>> KrbKdcReq send: kdc=192.168.202.2 UDP:88, timeout=60000, number of retries =3, #bytes=229 >>> KDCCommunication: kdc=192.168.202.2 UDP:88, timeout=60000,Attempt =1, #bytes=229 >>> KrbKdcReq send: #bytes read=1259 >>> KrbKdcReq send: #bytes read=1259 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 4c6985af >>>crc32: 1001100011010011000010110101111 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/spnego.test.net Added server's keyKerberos Principal HTTP/spnego.test.net@TEST.NETKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)= 0000: BC 57 0E 37 2C A8 85 C8 [Krb5LoginModule] added Krb5Principal HTTP/spnego.test.net@TEST.NET to Subject Commit Succeeded Found key for HTTP/spnego.test.net@TEST.NET Entered Krb5Context.acceptSecContext with state=STATE_NEW >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: cf98fa93 >>>crc32: 11001111100110001111101010010011 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: f591d6e0 >>>crc32: 11110101100100011101011011100000 >>> Config reset default kdc TEST.NET replay cache for test@TEST.NET is null. object 0: 1082930051064/64000 object 0: 1082930051064/64000 >>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 728 Krb5Context setting mySeqNumber to: 728 Authenticated user: test@TEST.NET |
|||||||||||||||||||||||||||||||||
