Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277308

S4U2Self ticket without forwardable flag

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 18
    • security-libs
    • None
    • behavioral
    • minimal
    • New system/security property. No behavior change if not set.
    • System or security property
    • Implementation

      Summary

      Create a new system/security property to interop with Windows Server that allows a non-forwardable ticket used in Kerberos S4U2proxy.

      Problem

      While the specification of MS-SFU 1.3.2 has the requirement

      The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set (see Service 1 in the figure specifying Kerberos delegation with forwarded TGT, section 1.3.3). This ticket can be obtained through an S4U2self protocol exchange.

      Some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.

      In our SFU implementation, we require the forwardable flag in a S4U2self response and thus reject this kind of response.

      Solution

      Add a new system/security property. When set, we accept this kind of S4U2self response. Furthermore, when using such a ticket in a S4U2proxy message exchange, some server will accept it and some will reject it with a KRB-ERR-BADOPTION. When such an error message is received, try another KDC to see if it can be accepted.

      Specification

      Define the new property in conf/security/java.security:

      #
# Policy for non-forwardable service ticket in a S4U2proxy request
#
# The Service for User to Proxy (S4U2proxy) Kerberos extension enables a middle service
# to obtain a service ticket to another service on behalf of a user. It requires that
# the user's service ticket to the first service has the forwardable flag set [1].
# However, some KDC implementations ignore this requirement and accept service tickets with
# the flag unset.
#
# If this security property is set to "true", then
#
# 1) The user service ticket, when obtained by the middle service after a S4U2self
#    impersonation, is not required to have the forwardable flag set; and,
#
# 2) If a S4U2proxy request receives a KRB_ERROR of the KDC_ERR_BADOPTION error code
#    and the ticket to the middle service is not forwardable, OpenJDK will try the same
#    request with another KDC instead of treating it as a fatal failure.
#
# The default value is "false".
#
# If a system property of the same name is also specified, it supersedes the
# security property value defined here.
#
# [1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/bde93b0e-f3c9-4ddf-9f44-e1453be7af5a
#jdk.security.krb5.s4u2proxy.acceptNonForwardableServiceTicket=false

            weijun Weijun Wang
            abakhtin Alexey Bakhtin
            Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: