Details

      Backports

        Description

        The kerberos client has partial support for the Microsoft MS-SFU extensions [1]. These extensions can be used by "middle services" to obtain a TGS (Ticket-Granting-Service) on behalf of a user principal, in a constrained delegation context. S4U2Self extension describes impersonation on the same "middle service" while S4U2Proxy on a "backend service".

        In the S4U2Self case, current implementation requires the impersonated principal and the "middle service" to be in the same realm. S4U2Proxy has a similar requirement for the "backend service". As a result, cross-realm referrals (specified by this protocol extension [2] [3]) cannot be handled. See an example of a S4U2self communication on a multiple-realm context here [4].

        The goal of this enhancement is to leverage on the support for Kerberos cross-realm referrals (introduced in the context of 8215032 [5]) and extend it to S4U2Self and S4U2Proxy.

        Note: the absence of this enhancement was originally noticed in new tests introduced for JEP113. See original report below [6].
        --
        [1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94
        [2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/b2f8745f-5bd9-4c93-8a2b-ff4b95ed63eb
        [3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/36a72c74-7995-4cba-a2d2-6c9471a2a6af
        [4] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
        [5] - https://bugs.openjdk.java.net/browse/JDK-8215032

        [6] - The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons is part of the new tests for JEP113, Constrained delegation in Kerberos

        Test Description:
        ---------------------
        client@REALM2 has established a kerberos context with krbservice1@REALM1 with delegcred=false, krbservice1@REALM1 delegates to krbservice2@REALM1 using S4U2PROXY
        NOTE : S4U2PROXY is within the same realm


        The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons fails with message :
        [2013-01-07T22:30:33.73] KrbException: KDC cannot accommodate requested option (13)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
        [2013-01-07T22:30:33.73] at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
        [2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
        [2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        [2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        [2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
        [2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
        [2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
        [2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
        [2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
        [2013-01-07T22:30:33.73] at Server.run(Server.java:147)
        [2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
        [2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        [2013-01-07T22:30:33.73] ... 14 more
        [2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
        [2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
        [2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        [2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        [2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
        [2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
        [2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
        [2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
        [2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
        [2013-01-07T22:30:33.73] at Server.run(Server.java:147)
        [2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
        [2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
        [2013-01-07T22:30:33.73] at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
        [2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
        [2013-01-07T22:30:33.73] ... 9 more
        [2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        [2013-01-07T22:30:33.73] ... 14 more
        [2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
        [2013-01-07T22:30:33.73] at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
        [2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        [2013-01-07T22:30:33.73] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        [2013-01-07T22:30:33.73] at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
        [2013-01-07T22:30:33.73] at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
        [2013-01-07T22:30:33.73] at java.security.AccessController.doPrivileged(Native Method)
        [2013-01-07T22:30:33.73] at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
        [2013-01-07T22:30:33.73] at Server.impersonateClient(Server.java:470)
        [2013-01-07T22:30:33.73] at Server.run(Server.java:147)
        [2013-01-07T22:30:33.73] at java.lang.Thread.run(Thread.java:722)
        [2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
        [2013-01-07T22:30:33.73] at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
        [2013-01-07T22:30:33.73] at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mbalao Martin Balao
                  Reporter:
                  nisriniv Nithya Srinivasan (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: