Knowledgebase: MarkLogic Server
Authenticating XCC/J applications using a Kerberos keytab
24 November 2016 09:22 AM


When using Kerberos to authenticate to a MarkLogic server the user must first obtain a Kerberos ticket by either authenticating to a directory server such as Active:Directory or directly to the Kerberos Domain server using the kinit utility.

For interactive use, this does not pose a problem but for unattended application use such as an XCC/J application, problems can ensue if a previously generated Kerberos ticket has expired.

This article will outline the steps needed to use a "client-side" Kerberos Keytab that can authenticate an XCC/J application without requiring manual intervention to regenerate Kerberos tickets.


  • MarkLogic Server and XCC/J 8.0.5 or later
  • Java 1.7 or later

Configuration steps

1. Create or update the existing services.keytab and add the User Principal that you want to use with XCC, e.g. ml1@MLKRB.LOCAL  

[kadnin@mwca1 Data]# kadmin.local
Authenticating as principal mluser1/admin@MLKRB.LOCAL with password. 

kadmin.local: listprincs

kadmin.local: ktadd -k services.keytab ml1@MLKRB.LOCAL

2.  Copy the services.keytab file to path on the Java XCC client machine.

Note: For security reasons ensure that the keytab is only readable by the XCC application userid.

3.  Create a Java Authentication and Authorization Service (JAAS) login.conf file with the following contents; change “principal” and “keyTab” entries accordingly { required
}; { required

4.  Set the following Java System properties either within the XCC Java application or from the command line, changing login.conf and krb5.conf entries as required.

5.  Run the XCC Java application and it should use the Kerberos credentials from the services.keytab to authenticate to the MarkLogic XDBC Server


A simple query to return the current timestamp from an MarkLogic XDBC server.

[ml1@mwca1 ~]$ java com.marklogic.xcc.examples.SimpleQueryRunner xcc:// query

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /home/ml1/Data/services.keytab refreshKrb5Config is false principal is ml1@MLKRB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is ml1@MLKRB.LOCAL
Will use keytab
Commit Succeeded


6.  In the MarkLogic AccessLogs you should see the following entries to show a successful Kerberos authentication from the Java XCC Client.

External User(ml1@MLKRB.LOCAL) is Mapped to User(krbuser1) - - [23/Nov/2016:18:03:59 +0000] "POST /eval XDBC/1.0" 200 128 - "Java/1.8.0_66 MarkLogicXCC/8.0-6"

7.  When authentication is successfully established "debug=false" can be set in the JAAS login.conf to reduce the verbose logging messages.

Additional Reading

(1 vote(s))
Not helpful

Comments (0)