Summary

Provide a default native GSS-API library on Windows so user does not need to install a 3rd party library. This library will be client-side only and supports the Kerberos 5 and SPNEGO mechanisms.

Problem

In JDK 11 we've ported the native GSS bridge to Windows which allows JDK to use an existing native GSS-API library. However, unlike other OSes where either there is an out-of-box native GSS-API library or it can be easily installed from the system package manager, there is no default native GSS-API library on Windows and user has to install a 3rd party one.

There are other benefits we can get from using our own native GSS-API library. See solution below.

Solution

Create a native GSS-API library for Windows and include it in JDK as the default native GSS-API library. The library will expose its functions through the RFC 2743 GSS-API C bindings, and its implementation will be based on Windows SSPI APIs.

This native library is superior to the existing Java GSS-API library in that it can directly read user credentials cached during Windows logon. The Java GSS-API library used to be able to read the cache when a registry value is set but it's now disabled by the Windows 10 Credential Guard. If the Java GSS-API library cannot read the cache, it will have to login itself by asking for username and passwords from the user. This prevents Kerberos from being used as a Single Sign-on mechanism.

Specification

This library will be automatically loaded by the native GSS bridge if the system property "sun.security.jgss.native" is set to "true". If user wants to use a 3rd-party native GSS-API library they can set the system property "sun.security.jgss.lib" to its path.

This change will be described on the Accessing Native GSS-API page.