IBM JRE kinit utility to enable Kerberos/SPNEGO SSO for local administrators
If a Microsoft Active Directory domain user has local administrative privileges on a client computer, Microsoft Windows still restricts third-party applications from retrieving ticket-granting ticket (TGT) and session key pairs from the Kerberos security package.
- Rely on fallback authentication.
- Obtain a Kerberos ticket-granting ticket (TGT) and session key by using the kinit utility that is included with the IBM JRE.
IBM JRE kinit utility
The IBM JRE kinit utility provides an alternative way to authenticate with Active Directory instead of Windows logon authentication. The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit.
For the kinit utility to work, a krb5.conf or krb5.ini file must be configured. The kinit utility creates a ticket cache file in the user's home directory with the name krb5cc_uid, where uid is the user ID. Unlike Windows logon authentication, kinit tickets, by default, expire after a day and do not renew. The ticket expiry behavior can be changed by making server configuration changes.
com.ibm.security.krb5.KrbException, status code: 31 message: Integrity check on decrypted field failed
cause of the exception might not be obvious. It might seem as though
a user is not a local administrator because they are not a member
of the Administrators group on the client computer. However, it might
be that the user or an administrator added
YOURDOMAIN\Domain Admins, or both
to the local Administrators group.