Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8161921

Windows 10 Credential Guard does not allow sharing of TGT with Java

    XMLWordPrintable

    Details

      Description

      A DESCRIPTION OF THE REQUEST :
      Windows 10 enhances its LSASS process by virtualization. This feature is called Credential Guard.

      We are using Java SSO for an inhouse application and for Spark from IgniteRealtime with the known "hack" of allowtgtsessionkey as described on the following bug report:

      Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work
      https://bugs.openjdk.java.net/browse/JDK-8054026

      Although this hack still works on Windows 10, our company security policy requires that we enable Credential Guard and once we do that, our Java applications are not allowed to have access to the tokens any more, thus blocking SSO.



      JUSTIFICATION :
      Credential Guard is implemented on Windows 10 and blocks Java from accessing credentials.

      This should be resolved as many applications will stop working.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The proper solution would be to properly support Microsoft Windows SSPI as requested here:

      https://bugs.openjdk.java.net/browse/JDK-6722928
      ACTUAL -
      The actual behavior is that the Java applications cannot have access to the TGT token effectively blocking the whole authentication process.

      CUSTOMER SUBMITTED WORKAROUND :
      The only workaround is to disable Credential Guard.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              webbuggrp Webbug Group
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: