Kerberos Authentication- Web Application, Applets, Thick Client

What is Kerberos?


Kerberos aka “kərbərəs” is a computer network authentication protocol which works on the basis of ‘tickets’ to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default.



Doesn’t  matter which web application solution- If  falls under JAAS—>SPNEGO
–Kerberos is the solution!!


352606Adobe_ColdFusion_Builder_v2.0cropped-Oracle-weblogic-12c1jbosswebPlatform for Apache Tomcatwebligic


Break Down Incorporate Kerberos in your organization.

Why using cumbersome 3rd party authentication Solutions?

Which is best meets Application Authentication Model?

SSO or Form Base?

Web Application XML method to save your organization $$$$$$?


How does Kerberos protocol works

The Web Server has to hand-shake with browser to obtain kerberos token. The token can be validated against keytab file or connecting through Active Directory.

The below diagram explains how the handshake happens between browser and webserver to obtain kerberos token for authentication.

Environment/ Infrastructure

In this article I am going to talk about implementing Single-Sign-On in Java platform (i.e. JAAS) using Active Directory through Kerberos protocol for web-based products/applications.

I used below softwares:
JDK 1.6 – (previous version doesn’t support SPNEGO Kerberos protocol)
Windows 2003 Server with Active Directory
Windows XP with Internet Explorer 7 for client machine
Tomcat 6.0 Web Server

Required Information

The following information are required from your system administrators.

  1. Active Directory server ip address or hostname.
  2. Your complete domain name in the active directory. (Example. JAVA.SUN.COM)

Create a Server Name Alias

You have to create a server alias for WebServer to interact with ActiveDirectory for SSO token validation. Create a user called testsso and set “Password never expires” as checked. Assign a password for testsso user we will be using this password in Java coding later.

Create a Service Name

The account you created in the previous is meant to be used as an Kerberos HTTP service for the We Server. This is done in using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.

[More information on Setspn:].

You would need to add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:

setspn -a HTTP/ testsso

You could see it has been successfully created listing (-l) the SPNs available for such account:

setspn -l testsso

Note: this command line utility might not be available in your OS and you should have to download it from Microsoft site.
Initial verification

You can do a basic Kerberos check using kinit tool. From one of the computers in your network that have access to the KDC (Key Distribution Center), in Windows is usually the Domain Controller, check the following using your user account (ex: testsso@JAVA.SUN.COM):

kinit testsso@JAVA.SUN.COM

If everything is ok, the command will ask you for your domain password and terminates without an error message. This command will show you the initial ticket you got from the KDC if you execute it without any argument.

Create jaas.conf file

Create a jaas.conf file and place in c:\jaas.conf location.

SSOTESTING { required
Finally the most awaited test JSP file


ACTIVE_DIRECTORY_SERVER = “<hostname/ipaddress>”;
DEAULT_DOMAIN = “<the default domain>”;
SP_PASSWORD = “<server-principal-password>”;

The best way to implement Single-Sign-On is using servlet; for easy of testing at your environment I made it as JSP. Once you get this sample code working in your environment you can nicely integrate into your framework.



  • Make sure setspn url is uniquely associated to one active directory user.
  • Internet Explorer should be able to identify your site as Intranet site. If not change the IE setting to make it as intranet site.
  • Kerberos requires the clocks of the involved hosts to be synchronized.
  • Always specify domain names in upper case. Example testsso@JAVA.SUN.COM

OC4J / OracleAS

OC4J will not recognize jaas.conf hence you need to update system-jazn-data.xml file for custom provider. Find more information in below link:


MS Kerberos Explanation

MIT Founder and Developed Kerberos



Active Directory



Leave a Reply

Your email address will not be published. Required fields are marked *