I am using Krb5LoginModule in one of the POC. I have provided useDefaultCache=true and renewTGT=true.
The code throws an exception when the ticket is expired although I have mentioned renewTGT=true. I have set up allowtgtsessionkey value to 1 in windows registry (I am running XP SP2). The KDC (ActiveDirectory) settings are default. Ticket lifetime = 10 hours and renewal request threshold = 7 days.
Source Code
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import com.sun.security.auth.module.Krb5LoginModule;
public class Temp3 {
public static void main(String[] args) throws Exception {
System.setProperty("sun.security.krb5.debug", "true");
Subject subject = new Subject();
Krb5LoginModule krb5 = new Krb5LoginModule();
Map map = new HashMap ();
map.put("useTicketCache", "true");
map.put("doNotPrompt", "true");
map.put("renewTGT", "true");
map.put("debug", "true");
krb5.initialize(subject, null, null, map);
krb5.login();
krb5.commit();
System.out.println(subject);
}
}
The code works fine when the ticket is not expired i.e the time I ran kinit within 10 hours of running the code above.
I wrote this POC because I have to run JDBC based applications using SQL Server driver (version 4.0). I don't want long running services to fail during the database reconnect attempts which might occur due to factors such as network glitch resulting in broken pipe.
解决方案
You are going the wrong way. Fist of all you should use LoginContext to obtain credentials and not interact with Kerberos 5 directly. Second, non-human access needs a keytab. This is equivalent to a TGT. Export a Keytab for your server and modify the Krb5LoginModule configration. This tutorial will help you.