Part III : Deploying for Single Sign-On in a Kerberos Environment

Exercise 6: Deploying for Single Sign-On

Goal of This Exercise

The goal of this exercise is to learn how to configure a JAAS application that uses Kerberos for authentication to achieve single sign-on. Single sign-on means that the user needs only authenticate once to a system or a collection of services. After the initial authentication, the user can access other services in the system using the same identity as he used for the initial authentication.

Single sign-on can be used to describe different types of authentication. There are HTTP-based network single sign-on protocols. There is Kerberos-based single sign-on for network services. In this particular exercise, we show how to achieve single sign-on in Kerberos-based systems by showing how to import already-acquired Kerberos credentials from the underlying native operating system.

Background and Resources for This Exercise

See Single Sign-on Using Kerberos in Java. In addition, see the information provided in Exercise 2: Configuring JAAS for Kerberos Authentication and Exercise 4: Using the Java SASL API for background information about Kerberos and Java GSS.

Steps to Follow

  1. Edit the jaas-krb5.conf configuration file.

    This file contains two entries: one named client and one named server. Add the line useTicketCache=true to the client entry.

  2. Perform Kerberos login to the native operating system. To login to Kerberos, use kinit command as follows:

    % kinit test

    Provide a secure password.

  3. Run the client and server programs in Exercises 1 through 5 and you will note that the client applications no longer ask you to enter a password.