-
Bug
-
Resolution: Fixed
-
P4
-
18
-
None
Current JGSS implementation does not allow to use of non-forwardable S4U2self tickets.
The application fails with an exception caused by
KrbException: S4U2self ticket must be FORWARDABLE
at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:105)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:495)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:395)
This exception was added as part ofJDK-8022582 [1] and exception is thrown for every non-forwardable S4U2self ticket
However, according to Microsoft spec [2] KDC marks S4U2Self ticket as non-forwardable in case of trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is nonempty.
In this case, SFU client should not fail but locate DS_BEHAVIOR_WIN2012 DC to send the request [3]
[1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
[2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
[3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
The application fails with an exception caused by
KrbException: S4U2self ticket must be FORWARDABLE
at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:105)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:495)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:395)
This exception was added as part of
However, according to Microsoft spec [2] KDC marks S4U2Self ticket as non-forwardable in case of trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is nonempty.
In this case, SFU client should not fail but locate DS_BEHAVIOR_WIN2012 DC to send the request [3]
[1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
[2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
[3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
- csr for
-
JDK-8277308 S4U2Self ticket without forwardable flag
-
- Closed
-