Details
-
Bug
-
Resolution: Fixed
-
P2
-
7u45, 8
-
b120
-
generic
-
windows
-
Verified
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8030313 | 8u5 | Weijun Wang | P2 | Resolved | Fixed | b01 |
JDK-8034682 | 7u65 | Weijun Wang | P2 | Resolved | Fixed | b01 |
JDK-8028360 | 7u60 | Weijun Wang | P2 | Closed | Fixed | b02 |
JDK-8029575 | na | Weijun Wang | P2 | Closed | Not an Issue |
Description
Cu has proved that kerberos set up correctly by using IE. IE can browse
internet via Kerberos authentication. But JWS cannot.
From network capture, they saw AS-REP "KRB5KDC_ERR_PREAUTH_REQUIRED" and
"KRBKDC_ERR_PREAUTH_FAILED" when allowtgtsessionkey = 0 for request
krbtgt/DOMAIN to AD server. When allowtgtsessionkey = 1, they got TGS-REP
"KRB5KRB_AP_ERR_MODIFIED" for HTTP/squidproxy.domain.
If they disable kerberos pre- authentication for that user and user was KINIT
in JRE/bin before launch JNLP, JWS can download properly.
system configuration
====================
Environment - Squid proxy with Kerberos authentication enabled. Squid OS is
Ubuntu. AD is Windows 2008. Client is Windows 7 x86 with 7u45
javaws -J-Dsun.security.krb5.debug=true <http://your jnlp>
And the log can be found in https://mos-cores.us.oracle.com/web/cores/3-8062194441/tds-2013-11-13/javaws5447623760750531854.log
They use krb5.ini that is available in https://mos-cores.us.oracle.com/web/cores/3-8062194441/tds-2013-11-08/krb5.ini
internet via Kerberos authentication. But JWS cannot.
From network capture, they saw AS-REP "KRB5KDC_ERR_PREAUTH_REQUIRED" and
"KRBKDC_ERR_PREAUTH_FAILED" when allowtgtsessionkey = 0 for request
krbtgt/DOMAIN to AD server. When allowtgtsessionkey = 1, they got TGS-REP
"KRB5KRB_AP_ERR_MODIFIED" for HTTP/squidproxy.domain.
If they disable kerberos pre- authentication for that user and user was KINIT
in JRE/bin before launch JNLP, JWS can download properly.
system configuration
====================
Environment - Squid proxy with Kerberos authentication enabled. Squid OS is
Ubuntu. AD is Windows 2008. Client is Windows 7 x86 with 7u45
javaws -J-Dsun.security.krb5.debug=true <http://your jnlp>
And the log can be found in https://mos-cores.us.oracle.com/web/cores/3-8062194441/tds-2013-11-13/javaws5447623760750531854.log
They use krb5.ini that is available in https://mos-cores.us.oracle.com/web/cores/3-8062194441/tds-2013-11-08/krb5.ini
Attachments
Issue Links
- backported by
-
JDK-8030313 JWS doesn't get authenticated when using kerberos auth proxy
- Resolved
-
JDK-8034682 JWS doesn't get authenticated when using kerberos auth proxy
- Resolved
-
JDK-8028360 JWS doesn't get authenticated when using kerberos auth proxy
- Closed
-
JDK-8029575 JWS doesn't get authenticated when using kerberos auth proxy
- Closed
- blocks
-
JDK-8033120 JWS doesn't get authenticated when using kerberos
- Closed