-
Enhancement
-
Resolution: Duplicate
-
P4
-
6
-
x86
-
windows_xp
A DESCRIPTION OF THE REQUEST :
The canonicalize option of ticket requests can not be set for Kerberos authentication attempts initiated by the JRE (e.g. JNDI). The method available for setting related flags of the ticket request is through a Kerberos configuration file, so this seems the likely route for resolving this issue.
JUSTIFICATION :
Our particular case involves a JNDI connection to an Active Directory Application Mode LDAP server behind a load-balancer. A Windows 2000 Server is acting as the domain controller.
In this case, it is impossible to perform Kerberos authentication with Java. JNDI's SASL/GSSAPI support is hard-wired to request the ticket using the address of the load-balancer, and without the canonicalize option, the KDC cannot return a certificate with the proper principal. However, an identical ticket request with the canonicalize option set will produce an usable ticket; we have observed this directly with Microsoft's ldp tool. (We should note that doing this with ldp requires forcing ldp to use GSSAPI, and the method of doing this is non-intuitive.)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Canonicalize can be enabled through the Kerberos configuration file.
ACTUAL -
Canonicalize can not be enabled through the Kerberos configuration file.
CUSTOMER SUBMITTED WORKAROUND :
In our case, eliminate the load balancer, and load-balance in software.
In some cases, one could use a different method of authentication, but this is not always practical.
The only other options are to replace nearly the entire JNDI/SASL/GSSAPI/Kerberos stack with another solution (neither practical nor desirable), or modify the JRE to allow setting the canonicalize option (the resulting JRE can't legally be distributed).
The canonicalize option of ticket requests can not be set for Kerberos authentication attempts initiated by the JRE (e.g. JNDI). The method available for setting related flags of the ticket request is through a Kerberos configuration file, so this seems the likely route for resolving this issue.
JUSTIFICATION :
Our particular case involves a JNDI connection to an Active Directory Application Mode LDAP server behind a load-balancer. A Windows 2000 Server is acting as the domain controller.
In this case, it is impossible to perform Kerberos authentication with Java. JNDI's SASL/GSSAPI support is hard-wired to request the ticket using the address of the load-balancer, and without the canonicalize option, the KDC cannot return a certificate with the proper principal. However, an identical ticket request with the canonicalize option set will produce an usable ticket; we have observed this directly with Microsoft's ldp tool. (We should note that doing this with ldp requires forcing ldp to use GSSAPI, and the method of doing this is non-intuitive.)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Canonicalize can be enabled through the Kerberos configuration file.
ACTUAL -
Canonicalize can not be enabled through the Kerberos configuration file.
CUSTOMER SUBMITTED WORKAROUND :
In our case, eliminate the load balancer, and load-balance in software.
In some cases, one could use a different method of authentication, but this is not always practical.
The only other options are to replace nearly the entire JNDI/SASL/GSSAPI/Kerberos stack with another solution (neither practical nor desirable), or modify the JRE to allow setting the canonicalize option (the resulting JRE can't legally be distributed).
- duplicates
-
-
- Resolved
-