Using Kerberos delegation with Internet Explorer and JGSS, workaround?
I'm trying to set up single sing-on (SSO) into a web application with Kerberos, where the web application in turn should use the Kerberos ticket it received to access a backend service on behalf of the user.
In theory this should be a fairly straightforward Kerberos delegation scenario.
I'm still bound to using Java 1.4.2 for this scenario, so I've created some code for SPNEGO parsing. I can log into the web application from Internet Explorer with SSO, and everything is OK this far. (Except that the ticket I receive can't be used for delegation.)
When I enable delegation for the user in Active Directory that represents the web application, and then try to log in again, I get an IllegalArgumentException with the message "Authentication time of ticket cannot be null". This is the same problem that is described in more detail here: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3
So this is obviously a known problem, but I haven't been able to find any other workaround that turning delegation off, and that removes the reason for using Kerberos in my case.
Does anyone know of a workaround for this problem? Or is it simply not possible to use Kerberos delegation when getting a ticket from Internet Explorer?
