Summary

Provide an option to skip Krb5LoginModule::login method

Problem

JGSS is implemented in the JVM in 2 levels: the standard Java security provider for Kerberos in sun.security.jgss.krb5.Krb5MechFactory and the JAAS login module for Kerberos in com.sun.security.auth.module.Krb5LoginModule. In this hierarchy, the login module doesn't go through the provider but tries to read the credential cache. The Credential Guard feature in MSWindows does not allow to export of the session keys for Ticket-Granting Tickets (TGTs). As a result, any authentication attempts on the system with Credential Guard enabled always fail with LoginException. This is not an issue if Kerberos is used via the JGSS API because it automatically does the JAAS login as needed, and won't do it at all if a native implementation is used. However many libraries still needlessly call login() before using JGSS.

Solution

The solution represents the “doNotLogin" configuration option to allow skipping the login. The new "sun.security.auth.krb5.doNotLogin” system property is used to set the default value for “doNotLogin" configuration option if it is not provided.

The default value for both options (if not specified) is false.

This way, it would not break the regular Java Kerberos provider and allow users to set the expected behavior individually (via JAAS configs) and globally (via the property).

Specification

There are no API changes. One new system property sun.security.auth.krb5.doNotLogin and one configuration option “doNotLogin” are introduced as described in the "Solution" section.