Patching bug 6722928/serious limitations of JGSS under Windows 7 (original) (raw)

1983-01-06 at gmx.net 1983-01-06 at gmx.net
Tue Aug 14 10:35:31 UTC 2012

Hi Weijun,

Hi Michael

The feature was dropped mainly because of delegation problem. If I remember (and understand) correctly, using the underlying SSPI there seems no good way to acquire a FORWARDED ticket and send it to the middle server to perform delegation. I think maybe Microsoft restricts this so that you are always under the UAC umbrella, otherwise, a forwarded TGT might let you do much more it wants. This means if the client uses SSPI but the server uses pure Java, there is a loss of function, and I was not happy with this (4 years ago). This might change if pure Java Kerberos also supports constrained delegation.

this is confusing. Why is a SPNEGO ticket sent by Firefox which is generated with SSPI forwardable then? I was happily able to perform to retrieve a service ticket for an Active Directory server on behalf of that user's GSSCredential and retrieve some data through LDAP. InitializeSecurityContext and ISC_REQ_DELEGATE don't not do the job?

Would it suffice to aquire the CredHandle from AcquireCredentialsHandle and convert that to GSSCredential?

Disclaimer: I an not a C++ hacker nor I am experienced with SSPI. But strong with Kerberos on Java.

BTW, when you say "a very good patch", have you compiled it and really find it useful? This patch was still in experimental status at the time of posting.

No, I did a code review. It looked very promising. At least way better that the current situation. Is there any chance to re-review that in 2012 with a new outcome?

Thanks for the quick response,

Mike

On 08/14/2012 05:14 PM, 1983-01-06 at gmx.net wrote: > Hi folks, > > like many many other developers I have switched to Windows 7 on my machine. After hours of search I have realized that JGSS is seriously crippled due to UAC, account permissions and LSA's limitations. > > I have found the ticket 6722928 which has been filed more than 4 years ago. Suprisingly, Weijun Wang has already provided a very good patch [1] and nothing has happened since 2010. > > The current situation of Kerberos in Java on Windows 7 is very frustating from an enterprise point of view. I am convinced that I speak for the vast majority of devs and users who want to have native SSPI support on Windows with tampering with the registry, cred caches, ini files. Most even can't do because group policies don't allow it. Fortunately I can but since I am a local admin with a domain account, I am crippled too. > > Is there anything happening from the OpenJDK folks (Oracle JDK devs) for fix that issue anytime soon? This would bring the great Java platform on par with .NET's support of GSS-API/SSPI on Windows. > > Yours, > > Michael Osipov > > [1] http://cr.openjdk.java.net/~weijun/6722928/webrev.00/jdk.patch >

More information about the security-dev mailing list