-
Enhancement
-
Resolution: Fixed
-
P4
-
8, 11
-
b02
-
generic
-
generic
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8241315 | 13.0.3 | Martin Balao Alonso | P4 | Resolved | Fixed | b01 |
| JDK-8259888 | 11.0.12-oracle | Sean Coffey | P4 | Resolved | Fixed | b01 |
| JDK-8237476 | 11.0.7 | Martin Balao Alonso | P4 | Resolved | Fixed | b01 |
| JDK-8239217 | openjdk8u252 | Martin Balao Alonso | P4 | Resolved | Fixed | b03 |
| JDK-8259887 | 8u301 | Sean Coffey | P4 | Resolved | Fixed | b01 |
The kerberos client has partial support for the Microsoft MS-SFU extensions [1]. These extensions can be used by "middle services" to obtain a TGS (Ticket-Granting-Service) on behalf of a user principal, in a constrained delegation context. S4U2Self extension describes impersonation on the same "middle service" while S4U2Proxy on a "backend service".
In the S4U2Self case, current implementation requires the impersonated principal and the "middle service" to be in the same realm. S4U2Proxy has a similar requirement for the "backend service". As a result, cross-realm referrals (specified by this protocol extension [2] [3]) cannot be handled. See an example of a S4U2self communication on a multiple-realm context here [4].
The goal of this enhancement is to leverage on the support for Kerberos cross-realm referrals (introduced in the context of 8215032 [5]) and extend it to S4U2Self and S4U2Proxy.
Note: the absence of this enhancement was originally noticed in new tests introduced for JEP113. See original report below [6].
--
[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94
[2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/b2f8745f-5bd9-4c93-8a2b-ff4b95ed63eb
[3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/36a72c74-7995-4cba-a2d2-6c9471a2a6af
[4] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
[5] - https://bugs.openjdk.java.net/browse/JDK-8215032
[6] - The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons is part of the new tests for JEP113, Constrained delegation in Kerberos
Test Description:
---------------------
client@REALM2 has established a kerberos context with krbservice1@REALM1 with delegcred=false, krbservice1@REALM1 delegates to krbservice2@REALM1 using S4U2PROXY
NOTE : S4U2PROXY is within the same realm
The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons fails with message :
[2013-01-07T22:30:33.73] KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
[2013-01-07T22:30:33.73] at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73] at Server.run(Server.java:147)
[2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
[2013-01-07T22:30:33.73] ... 14 more
[2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73] at Server.run(Server.java:147)
[2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
[2013-01-07T22:30:33.73] at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
[2013-01-07T22:30:33.73] ... 9 more
[2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
[2013-01-07T22:30:33.73] ... 14 more
[2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73] at Server.run(Server.java:147)
[2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
In the S4U2Self case, current implementation requires the impersonated principal and the "middle service" to be in the same realm. S4U2Proxy has a similar requirement for the "backend service". As a result, cross-realm referrals (specified by this protocol extension [2] [3]) cannot be handled. See an example of a S4U2self communication on a multiple-realm context here [4].
The goal of this enhancement is to leverage on the support for Kerberos cross-realm referrals (introduced in the context of 8215032 [5]) and extend it to S4U2Self and S4U2Proxy.
Note: the absence of this enhancement was originally noticed in new tests introduced for JEP113. See original report below [6].
--
[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94
[2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/b2f8745f-5bd9-4c93-8a2b-ff4b95ed63eb
[3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/36a72c74-7995-4cba-a2d2-6c9471a2a6af
[4] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
[5] - https://bugs.openjdk.java.net/browse/JDK-8215032
[6] - The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons is part of the new tests for JEP113, Constrained delegation in Kerberos
Test Description:
---------------------
client@REALM2 has established a kerberos context with krbservice1@REALM1 with delegcred=false, krbservice1@REALM1 delegates to krbservice2@REALM1 using S4U2PROXY
NOTE : S4U2PROXY is within the same realm
The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons fails with message :
[2013-01-07T22:30:33.73] KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
[2013-01-07T22:30:33.73] at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73] at Server.run(Server.java:147)
[2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
[2013-01-07T22:30:33.73] ... 14 more
[2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73] at Server.run(Server.java:147)
[2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
[2013-01-07T22:30:33.73] at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
[2013-01-07T22:30:33.73] ... 9 more
[2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
[2013-01-07T22:30:33.73] ... 14 more
[2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
[2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73] at Server.run(Server.java:147)
[2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
- backported by
-
JDK-8237476 Support cross-realm MSSFU
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
JDK-8256659 Incorrect parsing of krb5 username
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
(1 duplicates, 2 relates to)