Windows propagation of credentials to Java desktop application

Question

Is it possible to use the credentials (or even a token, that a user entered when he logged in windows, lets say XP). what I am in search here is not applying a single sign on (which requires signing in again), but the single sign on would be that of the MS windows log-in window.

Is this possible? I understand security in windows is of high importance as well, but isn't there a way to get a token and use it in some other authentication mechanism?

Note: first and only sign in would be that of the Microsoft Windows Log in window and then the user would be able to access my application using the cached credentials (but without re loggin in).

Answer 1

You can do it if your machine is a member of domain. Google for GSSAPI. And use this string for your login module configuration:

com.sun.security.auth.module.Krb5LoginModule required debug=true  useTicketCache=true doNotPrompt=true;

Note, this works only for Sun's JVM, as far as I know IBM JVMs do not support getting the ticket from OS.

Also, here is more information for you: http://msmvps.com/blogs/sp/archive/2007/06/05/integrating-java-jdbc-and-kerberos.aspx

Also, for this to work on modern version of Windows you have to tweak your registry settings:

• On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  

  • Value Name: allowtgtsessionkey
  • Value Type: REG_DWORD
  • Value: 0x01

• Here is the location of the registry setting on Windows XP SP2:

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
  

  • Value Name: allowtgtsessionkey
  • Value Type: REG_DWORD
  • Value: 0x01