Ok, so I'm trying to connect to a MSSql Server from a Wildfly 9 sitting on an ubuntu, via Kerberos. The KDC is the Microsoft AD.
I managed to get it working just fine, having a security-domain that looks like this:
<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
<module-option name="storeKey" value="false"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="/opt/wildfly-9.0.2/standalone/configuration/krb5.keytab"/>
<module-option name="principal" value="app-BV"/>
<module-option name="useTicketCache" value="false"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="isInitiator" value="true"/>
<module-option name="addGSSCredential" value="true"/>
<module-option name="delegationCredential" value="USE"/>
<module-option name="wrapGSSCredential" value="true"/>
</login-module>
I'm using a keytab, also using the new wrapGSSCredential flag because microsoft's jdbc driver disposes of the ticket immediately after login which on a subsequent sql call causes a NPE without this flag set (see bug description)
This works fine, meaning that I can connect to the database and connections are reestablished after a conn is lost.
What doesn't work is the renewal. Basically the situation is as this:
- Wildfly caches the credentials obtained
- Wildfly's cache validation on a set of credentials always passes even if the underlying ticket expired
- After 10 hours (default lifetime of a ticket for AD) the ticket passed by Wildfly to the driver is expired
The sun Kerberos api looks for a TGT in the ticket but it doesn't find it and hence fails to obtain a new ticket. The error I get is:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
So, my question is: aside from not using the Jboss cache (or using infinispan and evicting the credential before it becomes obsolete), is there any other way to get a new Kerberos ticket?