Tag Archives: Kerberos

Kerberos and Java – a test application

Every now and then I get an assignment that includes an application that should use Kerberos authentication for access to a resource of some sort. One of the first things I like to try out is to use the program below to see that I have got the correct credentials and that the resource is up and running. Because I rarely work with this I thought it would be best to put the code and instructions here:

1. First we create a krb5.conf file with the settings for the domain in question. There are a few ways to do this but I usually use the following way:

>kinit <user name> #Creates an entry in the auth table for that user
>klist #Displays all entrys in auth table.
Credentials cache: C:\Users\niklas\krb5cc_niklas

Default principal: niklas@MYDOMAIN.SE, 1 entry found.

[1]  Service Principal:  krbtgt/MYDOMAIN.SE@MYDOMAIN.SE
     Valid starting:     Jun 09,  2023 10:12:50
     Expires:            Jun 09,  2023 20:12:50

We can here see the domain to use: MYDOMAIN.SE. This will be used in the [realms] section of the krb5.conf file

Now we need the DNS/IP for a KDC to put in the [libdefaults] section

>nslookup -type=srv _kerberos._tcp.MYDOMAIN.SE

Server:  dns1.mydomain.se

_kerberos._tcp.MYDOMAIN.SE      SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = kdc0093.mydomain.se
_kerberos._tcp.MYDOMAIN.SE      SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = kdc0094.mydomain.se
_kerberos._tcp.MYDOMAIN.SE      SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = kdc0099.mydomain.se

Here we can pick one and fill the krb5.conf file like below:

    default_realm = MYDOMAIN.SE

        kdc = kdc0093.mydomain.se

After this we also need a login.conf with some settings needed for the demo program
2. Login.conf

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=false useTicketCache=true;

3. Now it is time for the program

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;

public class RunHttpKerberos {

    static final String kuser = "admin"; // Username
    static final String kpass = "admin"; // Password
    static final String kurl = "https://resource.mydomain.se/data"

    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            return (new PasswordAuthentication(kuser, kpass.toCharArray()));

    public static void main(String[] args) throws Exception {
        Authenticator.setDefault(new MyAuthenticator());
        URL url = new URL(kurl);
        InputStream ins = url.openConnection().getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)

4. Compile and run the program with the following arguments


For DEBUG logging slap on a “-Dsun.security.krb5.debug=true”

If auth works you should see the resource printed in console

Tested om Java 1.8.0_352 and Windows 10