-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
None
-
x86
-
windows_7
A DESCRIPTION OF THE REQUEST :
* Java desktop client requires Kerberos Windows registry setting AllowTGTSessionKey = 1 for Kerberos SSO with kerberized backend to work. AllowTGTSessionKey = 1 is against our security policy.
* Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
* Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
* Underlying OS is Windows 7 Enterprise SP1 in combination with Java jre1.7.0_60_32bit
* The AllowTGTSessionKey topic is discussed in countless articles and blogs. AllowTGTSessionKey = 1 makes problem go away but is against the security policy due to its inherent security risk
JUSTIFICATION :
* Java should integrate with the native Windows SSPI so AllowTGTSessionKey = 1 is no longer necessary.
* AllowTGTSessionKey = 1 is a security vulnerability by remote exploits
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
* java should integrate with native Windows SSPI to retrieve the required Kerberos service ticket.
ACTUAL -
Java client just errors out with "java.io.IOException: Server returned HTTP response code: 401 for URL ...." when receiving the HTTP 401 negotiate challenge from the kerberized backend
---------- BEGIN SOURCE ----------
package sun.net.www.protocol.http.spnego;
import java.io.IOException;
import sun.net.www.protocol.http.HttpCallerInfo;
import sun.net.www.protocol.http.Negotiator;
import waffle.windows.auth.impl.WindowsSecurityContextImpl;
public class NegotiatorImpl extends Negotiator {
private String serviceName;
public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
this.serviceName = "HTTP/" + hci.host.toLowerCase();
}
@Override
public byte[] firstToken() throws IOException {
return WindowsSecurityContextImpl.getCurrent("Negotiate", serviceName).getToken();
}
@Override
public byte[] nextToken(byte[] in) throws IOException {
return new byte[0];
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
* Either set AllowTGTSessionKey = 1
OR
* Overwrite rt.jar class NegotiatorImpl which is part of package sun.net.www.protocol.http.spnego and provide waffle-jna.jar, jna-4.1.0.jar and jna-platform-4.1.0.jar to integrate with native Windows SSPI
* Java desktop client requires Kerberos Windows registry setting AllowTGTSessionKey = 1 for Kerberos SSO with kerberized backend to work. AllowTGTSessionKey = 1 is against our security policy.
* Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
* Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
* Underlying OS is Windows 7 Enterprise SP1 in combination with Java jre1.7.0_60_32bit
* The AllowTGTSessionKey topic is discussed in countless articles and blogs. AllowTGTSessionKey = 1 makes problem go away but is against the security policy due to its inherent security risk
JUSTIFICATION :
* Java should integrate with the native Windows SSPI so AllowTGTSessionKey = 1 is no longer necessary.
* AllowTGTSessionKey = 1 is a security vulnerability by remote exploits
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
* java should integrate with native Windows SSPI to retrieve the required Kerberos service ticket.
ACTUAL -
Java client just errors out with "java.io.IOException: Server returned HTTP response code: 401 for URL ...." when receiving the HTTP 401 negotiate challenge from the kerberized backend
---------- BEGIN SOURCE ----------
package sun.net.www.protocol.http.spnego;
import java.io.IOException;
import sun.net.www.protocol.http.HttpCallerInfo;
import sun.net.www.protocol.http.Negotiator;
import waffle.windows.auth.impl.WindowsSecurityContextImpl;
public class NegotiatorImpl extends Negotiator {
private String serviceName;
public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
this.serviceName = "HTTP/" + hci.host.toLowerCase();
}
@Override
public byte[] firstToken() throws IOException {
return WindowsSecurityContextImpl.getCurrent("Negotiate", serviceName).getToken();
}
@Override
public byte[] nextToken(byte[] in) throws IOException {
return new byte[0];
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
* Either set AllowTGTSessionKey = 1
OR
* Overwrite rt.jar class NegotiatorImpl which is part of package sun.net.www.protocol.http.spnego and provide waffle-jna.jar, jna-4.1.0.jar and jna-platform-4.1.0.jar to integrate with native Windows SSPI
- duplicates
-
-
- Resolved
-