MIT Kerberos tool makes JAAS able to access the Windows LSA? How to do it without the tool

Question

Running a Java app using JAAS i got a surprising effect:
The Java client-application wasn't able to access windows LSA, until i installed the MIT Kerberos tool 'kfw-4.0.1-i386.msi' ?

The JAAS conf file settings:

WEBSTART_CLIENT_CONTEXT {
   com.sun.security.auth.module.Krb5LoginModule required 
   useTicketCache=true
   renewTGT=true
   doNotPrompt=false   
   debug=true; 
}

Running Java 1.8 on Windows 7
I got the logging using -Dsun.security.krb5.debug=true

left without MIT tool installed, fails
right with the MIT tool installed, succeeds

I tried setting the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Name: allowtgtsessionkey to 0 and 1, but that didn't change anything while MIT tool was uninstalled.

Can someone tell me if it is possible to access the LSA without installing the MIT tool? Or point me to information how JAAS is interacting with windows LSA?

A very interesting observation. I will try to reproduce it on Monday. Is your account a local admin? — Michael-O, Nov 06 '15 at 15:31
no, 'tester1' is not local admin. checked out user settings on AD and local machine. Just to make sure tried to run something with 'As admin' and entering 'tester1' credentials, which failed saying it requires 'elevation'. Interested what you find, since i'm fairly new to kerberos — Houtman, Nov 06 '15 at 16:12

MIT Kerberos tool makes JAAS able to access the Windows LSA? How to do it without the tool

0 Answers0

Linked