I'm using GSSAPI in Java in order to login to an LDAP server using Kerberos authentication. I'm a newbie to Kerberos, so I'm sorry if this is an obvious question, but I couldn't find anything clear enough on the internet.

I perform the following steps:

1. Define Login configuration by setting the system property "java.security.auth.login.config" to the configuration file path.
2. Call LoginContext.login() with the name of the configuration and a self defined callback handler
3. In case login succeeded, "pretend to be" the subject (by using Subject.doAs()), and connect to the LDAP server by creating a new InitialLDAPContext with the appropriate environment variables.

Now, My problem is I don't understand which step correlates to which kerberos action? Is it correct to say that after the login action I only have a TGT? When do I get the service specific ticket?

Thanks, Dikla

The class com.sun.security.auth.module.Krb5LoginModule is Sun's implementation of a login module for the Kerberos version 5 protocol. Upon successful authentication the Ticket Granting Ticket (TGT) is stored in the Subject's private credentials set and the Kerberos principal is stored in the Subject's principal set.

(Taken from here)

This means that LoginContext.login is indeed equal to kinit in that after each of them, we have a TGT.

The service ticket will be obtained and used later - according to the action performed in Subject.doAs().