When trying to login via Vintella Single Signon for Java (VSJ) version 3.0 from a Windows XP host we get the following exception : javax.security.auth.login.LoginException:
java.lang.NullPointerException at com.dstc.security.kerberos.jaas.KerberosLoginModule.loadPrincipal(KerberosLoginModule.java:775)
but the same configuration works fine on other our Windows servers system.
Is this is a known issue ?
When using VSJ 3.0 KerberosLoginModule to access the Windows native credential cache, it makes use of a Windows API that Microsoft introduced in Windows 2000. Later Microsoft decided that this API was giving out some sensitive security information than they thought desirable, so in later releases they locked down this API. They started to lock down the API in Windows 2000 SP4 (but VSJ 3.0 can still function correctly with this version), and but from Windows XP SP2 the API is completely locked down and this stops VSJ from working.
There are two options to get VSJ working :
1. Microsoft provides a registry key, "AllowTgtSessionKey", to enable for the old behaviour for the API : http://support.microsoft.com/kb/308339 (Note that the exact path to the registry key varies between different releases of Windows. That KB article shows the registry key under Lsa\Kerberos\Parameters. Windows XP does not need the "Parameters" key, but instead expects AllowTgtSessionKey to be directly under Lsa\Kerberos). Many organizations are (quite reasonably) not comfortable with using AllowTgtSessionKey due to the sensitive nature of the security data which is being exposed.
2. Upgrade to VSJ 3.1 as it's been redesigned to work with different a Windows API (the Windows SSPI) which does not have the same issues. This works with Windows 2000 upto Windows XP (including Windows Server 2003). To do this we introduced a new package (com.dstc.security.kerberos.winsspi), a new LoginModule (WinSSPILoginModule), and a new GSSManager implementation (WinSSPIGSSManager) that works with the WinSSPILoginModule. The recommendation is to upgrade to VSJ 3.1.