-
Bug
-
Resolution: Fixed
-
P3
-
7
-
b100
-
generic
-
generic
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2195781 | 6u25 | Robert Mckenna | P3 | Closed | Fixed | b02 |
| JDK-2195782 | 5.0u29 | Robert Mckenna | P3 | Resolved | Fixed | b01 |
Before 6932525, Java only uses the etype for preauth as supported etypes in the 2nd AS-REQ. As 6932525 shows this does not interop well with Windows 2008 (with Windows 2000 compat mode), but it does force the KDC to use the same etype in the enc-part of the final AS-REP.
After 6932525, Java allows all supported etypes in the 2nd AS-REQ, and it seems that at least Windows 2000 might responds with an AS-REP whose enc-part is *not* encrypted with the etype used for preauth. Since Java already allows all suppored etypes in the request, there is nothing to blame here.
Unfortunately, we have a bug that only uses the preauth etype to decrypt the enc-part in the final AS-REP. Now that the etype for preauth and enc-part is different, a KrbException is thrown.
The following sqe tests fail in b97 tl pit because of this bug:
SPNEGO_HTTP_AUTH/WWW_KRB execute_script pit
SPNEGO_HTTP_AUTH/WWW_SPNEGO execute_script pit
SPNEGO_HTTP_AUTH/PROXY_KRB_2 execute_script pit
SPNEGO_HTTP_AUTH/PROXY_SPNEGO_2 execute_script pit
SPNEGO_HTTP_AUTH/WWW_SPNEGO_DELE/TRUSTED_HOST_TRUSTED_USER execute_script pit
- backported by
-
JDK-2195782 regression: cannot login if session key and preauth does not use the same etype
-
- Resolved
-
-
-
- Closed
-
- relates to
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-