IBM JRE kinit utility to enable Kerberos/SPNEGO SSO for local administrators

If a Microsoft Active Directory domain user has local administrative privileges on a client computer, Microsoft Windows still restricts third-party applications from retrieving ticket-granting ticket (TGT) and session key pairs from the Kerberos security package.

This restriction is true even if the user makes the Kerberos session key available to the IBM JRE. For users who are running ELM Eclipse clients, there are two suggested workarounds:
  • Rely on fallback authentication.
  • Obtain a Kerberos ticket-granting ticket (TGT) and session key by using the kinit utility that is included with the IBM JRE.

IBM JRE kinit utility

The IBM JRE kinit utility provides an alternative way to authenticate with Active Directory instead of Windows logon authentication. The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit.

For the kinit utility to work, a krb5.conf or krb5.ini file must be configured. The kinit utility creates a ticket cache file in the user's home directory with the name krb5cc_uid, where uid is the user ID. Unlike Windows logon authentication, kinit tickets, by default, expire after a day and do not renew. The ticket expiry behavior can be changed by making server configuration changes.

Important: The ticket cache file takes precedence over any tickets that are managed by the Windows operating system. If a user runs kinit to authenticate and later wants to use Windows tickets instead (for example, if the user's local administrative rights are removed), the user must first delete the ticket cache file.

If client logging is enabled, and the restriction that an Active Directory domain user with local administrative privileges cannot log in with their ELM Eclipse client is encountered, the following exception is logged:, status code: 31
     message: Integrity check on decrypted field failed

The cause of the exception might not be obvious. It might seem as though a user is not a local administrator because they are not a member of the Administrators group on the client computer. However, it might be that the user or an administrator added YOURDOMAIN\Domain Users, YOURDOMAIN\Domain Admins, or both to the local Administrators group.