-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8u152
-
x86_64
-
windows
FULL PRODUCT VERSION :
8u152
ADDITIONAL OS VERSION INFORMATION :
Windows Server 2012 R2
EXTRA RELEVANT SYSTEM CONFIGURATION :
Tomcat 8.5.20 with Kerberos and JNDI
A DESCRIPTION OF THE PROBLEM :
Related to bugJDK-8149521 : "automatic discovery of LDAP servers with Kerberos authentication" supposedly fixed in 8u152. Tested with 8u152 and the issue is there - proven by logs and wireshark traces. Namely
(1) the JNDI Realm specifies a SRV record e.g.
connectionURL="ldap:///dc=example,dc=adrootqa,dc=net"
(2) the SRV record is resolved to a host FQDN e.g. dc1.example.adrootqa.net
This is visible in the Wireshark trace and no trailing dot is coming with the FQDN from AD
(3) SPNEGO is using SASL/GSSAPI and the 1'st thing it does is to get a ticket for the LDAP SPN - in the trace is visible the LDAP SPN it queries has a trailing dot e.g. sname="ldap/ dc1.example.adrootqa.net."
(4) Because of the trailing dot AD returns KDC_ERR_SPN_UNKNOWN
!!! The trailing dot is not coming as a result of the DNS query of the SRV record - it is inserted by the JDK probably in the JNDI/KRB area
The TGS-REQ sent to AD contains the trailing dot e.g.
...
sname-string: 2 items
SNameString: ldap
SNameString: dc1.example.adrootqa.net.
As a result of the trailing dot the LDAP SPN is not found on AD and SSO fails
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure SSO on Tomcat (krb5.ini with JNDI realm in server.xml pointing to a SRV record e.g. connectionURL="ldap:///dc=example,dc=adrootqa,dc=net").
Try to execute the single signon while taking a trace on the Tomcat server including LDAP, Kerberos and DNS. Check the logs.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The TGS-REQ sent by SPNEGO should not contain the trailing dot - should be exactly the FQDN as it came in the "answers" section from the DNS query for the SRV record e..g. (notice no trailing dot)
...
Answers
_ldap._tcp.example.adrootqa.net: type SRV, class IN, priority 0, weight 100, port 389, target dc1.example.adrootqa.net
Service: _ldap
Protocol: _tcp
Name: example.adrootqa.net
Type: SRV (Server Selection) (33)
Class: IN (0x0001)
ACTUAL -
The TGS-REQ sent to AD contains the trailing dot e.g.
...
sname-string: 2 items
SNameString: ldap
SNameString: dc1.example.adrootqa.net.
(notice the trailing dot inserted by JDK)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
No workaround
8u152
ADDITIONAL OS VERSION INFORMATION :
Windows Server 2012 R2
EXTRA RELEVANT SYSTEM CONFIGURATION :
Tomcat 8.5.20 with Kerberos and JNDI
A DESCRIPTION OF THE PROBLEM :
Related to bug
(1) the JNDI Realm specifies a SRV record e.g.
connectionURL="ldap:///dc=example,dc=adrootqa,dc=net"
(2) the SRV record is resolved to a host FQDN e.g. dc1.example.adrootqa.net
This is visible in the Wireshark trace and no trailing dot is coming with the FQDN from AD
(3) SPNEGO is using SASL/GSSAPI and the 1'st thing it does is to get a ticket for the LDAP SPN - in the trace is visible the LDAP SPN it queries has a trailing dot e.g. sname="ldap/ dc1.example.adrootqa.net."
(4) Because of the trailing dot AD returns KDC_ERR_SPN_UNKNOWN
!!! The trailing dot is not coming as a result of the DNS query of the SRV record - it is inserted by the JDK probably in the JNDI/KRB area
The TGS-REQ sent to AD contains the trailing dot e.g.
...
sname-string: 2 items
SNameString: ldap
SNameString: dc1.example.adrootqa.net.
As a result of the trailing dot the LDAP SPN is not found on AD and SSO fails
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure SSO on Tomcat (krb5.ini with JNDI realm in server.xml pointing to a SRV record e.g. connectionURL="ldap:///dc=example,dc=adrootqa,dc=net").
Try to execute the single signon while taking a trace on the Tomcat server including LDAP, Kerberos and DNS. Check the logs.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The TGS-REQ sent by SPNEGO should not contain the trailing dot - should be exactly the FQDN as it came in the "answers" section from the DNS query for the SRV record e..g. (notice no trailing dot)
...
Answers
_ldap._tcp.example.adrootqa.net: type SRV, class IN, priority 0, weight 100, port 389, target dc1.example.adrootqa.net
Service: _ldap
Protocol: _tcp
Name: example.adrootqa.net
Type: SRV (Server Selection) (33)
Class: IN (0x0001)
ACTUAL -
The TGS-REQ sent to AD contains the trailing dot e.g.
...
sname-string: 2 items
SNameString: ldap
SNameString: dc1.example.adrootqa.net.
(notice the trailing dot inserted by JDK)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
No workaround