I am trying to create a Java desktop app, that would require login to Windows Active Directory Domain for its users.

However, because computers that this app would be launched on, already are in said domain, I thought it is not the best solution to provide credentials to login to computer and moments later, same credentials for the app.

That is why I thought of uninteractive Kerberos login, where the app would authenticate as an user logged on the computer without a prompt. Basically, if user logs to the computer (on his domain account), he should not be prompted for credentials when launching the application.

This is the best and simplest solution that works for me so far:

public class GssExample {
        
    public static void main(String[] args) throws LoginException {
        
        Subject mysubject = new Subject(); 
        System.setProperty("java.security.auth.login.config", "jaasprj04.conf");
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        LoginContext loginContext = new LoginContext("GssExample", mysubject, new TextCallbackHandler());
        loginContext.login();
        
    }
}

And the configuration files contents:

jaasprj04.conf:

GssExample {
    com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true debug=true;
};

krb5.conf:

[realms]
    MYDOMAIN.COM = {
        kdc = mydomain.com:88
        default_domain = MYDOMAIN.COM
    }

However, this solution prompts for password in the command line, and I would like it to use Integrated Windows Authentication or some other mechanism, that would enable it to use credenials of logged user. (That would be Kerberos token, I think)

This article was a huge help to me: https://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/single-signon.html

But I don't think it talks about the case I want, since it describes client and server parts of code. In my case there is only client and Windows Active Directory. My app would log to AD with Kerberos token and perform some operation (for example if I login to app as Domain Administrator, I could add an user to AD through the app). There is no server in between. (I am considering using Keycloak though)

There are some helpful examples for Kerberos Authentication on the Internet, but almost all of them describe web applications that use SPNEGO token and web browser to authenticate.

My app however won't use web browser at all, so it is pretty different from examples i stumbled upon on the Internet.

Is the effect I describe even possible in Java desktop application? If so, how can I achieve it?

Note: I tried the doNotPrompt parameter in conf file and I've made the AllowTGTSessionKey registry change - neither worked for me.