Fix Version/s: 18
Compatibility Risk Description:New system/security property. No behavior change if not set.
Interface Kind:System or security property
Create a new system/security property to interop with Windows Server that allows a non-forwardable ticket used in Kerberos S4U2proxy.
While the specification of MS-SFU 1.3.2 has the requirement
The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set (see Service 1 in the figure specifying Kerberos delegation with forwarded TGT, section 1.3.3). This ticket can be obtained through an S4U2self protocol exchange.
Some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
In our SFU implementation, we require the forwardable flag in a S4U2self response and thus reject this kind of response.
Add a new system/security property. When set, we accept this kind of S4U2self response. Furthermore, when using such a ticket in a S4U2proxy message exchange, some server will accept it and some will reject it with a KRB-ERR-BADOPTION. When such an error message is received, try another KDC to see if it can be accepted.
Define the new property in
# # Policy for non-forwardable service ticket in a S4U2proxy request # # The Service for User to Proxy (S4U2proxy) Kerberos extension enables a middle service # to obtain a service ticket to another service on behalf of a user. It requires that # the user's service ticket to the first service has the forwardable flag set . # However, some KDC implementations ignore this requirement and accept service tickets with # the flag unset. # # If this security property is set to "true", then # # 1) The user service ticket, when obtained by the middle service after a S4U2self # impersonation, is not required to have the forwardable flag set; and, # # 2) If a S4U2proxy request receives a KRB_ERROR of the KDC_ERR_BADOPTION error code # and the ticket to the middle service is not forwardable, OpenJDK will try the same # request with another KDC instead of treating it as a fatal failure. # # The default value is "false". # # If a system property of the same name is also specified, it supersedes the # security property value defined here. # #  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/bde93b0e-f3c9-4ddf-9f44-e1453be7af5a #jdk.security.krb5.s4u2proxy.acceptNonForwardableServiceTicket=false