I am trying to implement SSO on Windows (in Java). I recently discovered this example , doing exactly what I want to do with Waffle :
// client credentials handle IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate"); credentials.initialize(); // initial client security context WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl(); clientContext.setPrincipalName(Advapi32Util.getUserName()); clientContext.setCredentialsHandle(credentials.getHandle()); clientContext.setSecurityPackage(securityPackage); clientContext.initialize(); // accept on the server WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl(); IWindowsSecurityContext serverContext = null; do { if (serverContext != null) { // initialize on the client SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken()); clientContext.initialize(clientContext.getHandle(), continueToken); } // accept the token on the server serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate"); } while (clientContext.getContinue() || serverContext.getContinue()); System.out.println(serverContext.getIdentity().getFqn()); for (IWindowsAccount group : serverContext.getIdentity().getGroups()) { System.out.println(" " + group.getFqn()); } ...
The example is simple, it works, and it stitches exactly what I want. But I don’t understand how it works.
- What happens in the background?
- Does Waffle get a Kerberos ticket from Windows?
- How does the server verify the client ticket?
- Can I completely trust the user groups that I get after the do-loop from the server context?
Thanks. Thomas.
source share