Details
-
Enhancement
-
Resolution: Duplicate
-
P2
-
None
-
8
-
x86_64
-
windows
Description
A DESCRIPTION OF THE REQUEST :
Windows 10 enhances its LSASS process by virtualization. This feature is called Credential Guard.
We are using Java SSO for an inhouse application and for Spark from IgniteRealtime with the known "hack" of allowtgtsessionkey as described on the following bug report:
Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work
https://bugs.openjdk.java.net/browse/JDK-8054026
Although this hack still works on Windows 10, our company security policy requires that we enable Credential Guard and once we do that, our Java applications are not allowed to have access to the tokens any more, thus blocking SSO.
JUSTIFICATION :
Credential Guard is implemented on Windows 10 and blocks Java from accessing credentials.
This should be resolved as many applications will stop working.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The proper solution would be to properly support Microsoft Windows SSPI as requested here:
https://bugs.openjdk.java.net/browse/JDK-6722928
ACTUAL -
The actual behavior is that the Java applications cannot have access to the TGT token effectively blocking the whole authentication process.
CUSTOMER SUBMITTED WORKAROUND :
The only workaround is to disable Credential Guard.
Windows 10 enhances its LSASS process by virtualization. This feature is called Credential Guard.
We are using Java SSO for an inhouse application and for Spark from IgniteRealtime with the known "hack" of allowtgtsessionkey as described on the following bug report:
Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work
https://bugs.openjdk.java.net/browse/JDK-8054026
Although this hack still works on Windows 10, our company security policy requires that we enable Credential Guard and once we do that, our Java applications are not allowed to have access to the tokens any more, thus blocking SSO.
JUSTIFICATION :
Credential Guard is implemented on Windows 10 and blocks Java from accessing credentials.
This should be resolved as many applications will stop working.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The proper solution would be to properly support Microsoft Windows SSPI as requested here:
https://bugs.openjdk.java.net/browse/JDK-6722928
ACTUAL -
The actual behavior is that the Java applications cannot have access to the TGT token effectively blocking the whole authentication process.
CUSTOMER SUBMITTED WORKAROUND :
The only workaround is to disable Credential Guard.
Attachments
Issue Links
- duplicates
-
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
JDK-8149900 Kerberos native credentials
-
- Closed
-
-
-
- Resolved
-
-
JDK-8199569 Client-side GSS-API Library for Windows SSPI
-
- Closed
-