× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. PCTECH
  3. August 2011

Re: How to save Windows credentials cache to disk

I learned about the xp thing - and what to do about it - this link shows the 2 registry locations, one of which you need to set, depending on windows version -

http://www.javaactivedirectory.com/?page_id=93

The JVM we are using is actually a thing called IKVM - it is a .Net wrapper around jar files. We are using it to be able to use jt400 functions in .Net apps - pretty cool. Trouble is, that the stuff to retrieve Kerberos tickets was never coded in IKVM - the developer just this May said that no one is asking and that it is really a lot of work to write.

So IKVM is a sort-of JVM, what I called a wrapper-over-Java below.

IBM partner support sent me some sample code for connecting with jt400, using Kerberos authentication, and they included the somersaults they had to use to make it work!! Once I had set that registry value, things worked fine - in jt400, all you need to do is create the AS400 object using only the IP address or host name - no user or password - it'll try to use Kerberos, and if you are logged into a Windows domain, it just works. Magic!!

When running the same methods in the IKVM, it fails, saying it could not retrieve the ticket - something like that. But if I run the Kinit method in Sun's JVM, which puts the ticket into a credential cache file, it works.

What I have found, with a lot of help from IBM partner support, is that there is a set of LSA* APIs in Windows that can get this stuff - had to be, right? The OpenJDK project has its source available and includes calls to these APIs. Trouble is, there is all this Java JNI stuff around it - so I also got the MIT KfW (Kerberos for Windows) code, and that also has everything - and that will be easier to adapt.

I'm hoping that there is a higher-level something .Net-ish, and I have a ticket in with Microsloth, but I don't hold out much hope - the last thing the tech said was I should be using SSPI - duh!! I don't think so. But might have a call with an SME tomorrow.

So things look promising - of course, any one in this list who has worked with the LSA* stuff, their knowledge and help will be appreciated greatly!!

Thanks
Vern

On 8/21/2011 5:51 PM, Thorbjoern Ravn Andersen wrote:
Den 03/08/11 22.07, Vern Hamberg skrev:
Yeah, agreed, but I'm not retrieving a password - not at all - in fact,
I have no interest even in the windows user name.

What I do want is to get the Kerberos ticket-granting-ticket in some
form that this wrapper-over-java can use to authenticate to the iSeries.

What JVM are you using and is there any Windows tweaks? The Sun JVM has
had trouble getting the TGT under Windows since an XP service pack. (and
I'd really like it to work)


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.