I am building a Kerberos login module with Jaas that will be used by Jconsole.
Jconsole will be the client used to access a process with exposed MBeans, the kerberos loginmodule will authenticate the user.
The user will log in via Jconsole, and Jconsole will pass the user data to the loginmodule, the username and password is then handled by the Kerberos loginmodule and the users credentials validated against a central active directory.
I am having problems with the configuration of this for Kerberos. Namely. Will this require the set up of an SPN? Or will it only require a single KeyTab set up?
If you are asking user for the username and password on the console than you need neither keytab nor SPN. All you need is a plugin for JAAS that will ask for the password. The Kerberos session will be initiated JAAS login module and you will have TGT inside of your app.
On the other hand if you are planning to accept existing kerberos session from user ( their current Windows domain session ) then you do need to have SPN in the active directory, and user will not be prompted for the password by your application.
The keytab is just a copy of the key stored in kerberos database, you always need SPN to generate the keytab. But converse is not true you can obtain the session key from active directory by providing a SPN password.