Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8054026

Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: P4
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      A DESCRIPTION OF THE REQUEST :
      * Java desktop client requires Kerberos Windows registry setting AllowTGTSessionKey = 1 for Kerberos SSO with kerberized backend to work. AllowTGTSessionKey = 1 is against our security policy.
      * Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
      * Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
      * Underlying OS is Windows 7 Enterprise SP1 in combination with Java jre1.7.0_60_32bit
      * The AllowTGTSessionKey topic is discussed in countless articles and blogs. AllowTGTSessionKey = 1 makes problem go away but is against the security policy due to its inherent security risk


      JUSTIFICATION :
      * Java should integrate with the native Windows SSPI so AllowTGTSessionKey = 1 is no longer necessary.

      * AllowTGTSessionKey = 1 is a security vulnerability by remote exploits

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      * java should integrate with native Windows SSPI to retrieve the required Kerberos service ticket.


      ACTUAL -
      Java client just errors out with "java.io.IOException: Server returned HTTP response code: 401 for URL ...." when receiving the HTTP 401 negotiate challenge from the kerberized backend

      ---------- BEGIN SOURCE ----------
      package sun.net.www.protocol.http.spnego;

      import java.io.IOException;

      import sun.net.www.protocol.http.HttpCallerInfo;
      import sun.net.www.protocol.http.Negotiator;
      import waffle.windows.auth.impl.WindowsSecurityContextImpl;

      public class NegotiatorImpl extends Negotiator {

      private String serviceName;

      public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
          this.serviceName = "HTTP/" + hci.host.toLowerCase();
      }

          @Override
          public byte[] firstToken() throws IOException {
              return WindowsSecurityContextImpl.getCurrent("Negotiate", serviceName).getToken();
          }

          @Override
          public byte[] nextToken(byte[] in) throws IOException {
              return new byte[0];
          }
      }

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      * Either set AllowTGTSessionKey = 1
       OR
      * Overwrite rt.jar class NegotiatorImpl which is part of package sun.net.www.protocol.http.spnego and provide waffle-jna.jar, jna-4.1.0.jar and jna-platform-4.1.0.jar to integrate with native Windows SSPI

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: