Edit

Now I know what I need. I need to implement Kerberos protocol transition (S4U2Self) in Java. There are examples in .Net, but none for Java.

There is this third party library Quest Single Sign on for Java that claims to do that. I've downloaded the JAR and it looks good, but I would rather use a custom implementation instead of someone else's code (which have to be paid).

Can anyone give any head start on what needs to be done? Any existing open Java API to handle this?

Thanks

Question before

At the moment my application only knows the user id, and I need to authenticate that user with Kerberos, create a service ticket and use it to access a third party service.

My application needs to act like a proxy, and needs to send requests to the third party service on behalf of the provided user id. This is because there are constraints on other third party applications.

I can't get the password of the given user id in any way, nor get a previous service ticket from the same user id (to forward it). I do know, the credentials of an admin user.

Is there a way to create a service token using just the user id (principal name)?

Maybe some sort of delegation, in which a trusted principal is already authenticated and requests service tickets for other principals?

Thanks

S4U2self/S4U2proxy is supposed to be coming in JDK 8:

• http://openjdk.java.net/projects/jdk8/features
• http://openjdk.java.net/jeps/113

In the meantime, I'm looking at https://github.com/cconlon/kerberos-java-gssapi

(His SWIG input file doesn't include gss_acquire_cred_impersonate_name but that's simple to change. Working out how to use it might take me a bit longer.)