Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8272162

S4U2Self ticket without forwardable flag

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 18
    • Fix Version/s: 18
    • Component/s: security-libs
    • Labels:
      None

      Description

      Current JGSS implementation does not allow to use of non-forwardable S4U2self tickets.
      The application fails with an exception caused by
      KrbException: S4U2self ticket must be FORWARDABLE
              at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:105)
              at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:495)
              at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:395)
      This exception was added as part of JDK-8022582 [1] and exception is thrown for every non-forwardable S4U2self ticket

      However, according to Microsoft spec [2] KDC marks S4U2Self ticket as non-forwardable in case of trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is nonempty.

      In this case, SFU client should not fail but locate DS_BEHAVIOR_WIN2012 DC to send the request [3]

      [1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
      [2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
      [3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              abakhtin Alexey Bakhtin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: