Patching bug 6722928/serious limitations of JGSS under Windows 7 (original) (raw)
1983-01-06 at gmx.net 1983-01-06 at gmx.net
Tue Aug 14 11:17:23 UTC 2012
- Previous message (by thread): Patching bug 6722928/serious limitations of JGSS under Windows 7
- Next message (by thread): JDK 8 Code Review Request: 6500133/6931888: CertificateParsingException for CDP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 08/14/2012 06:35 PM, 1983-01-06 at gmx.net wrote: > Hi Weijun, > >> Hi Michael >> >> The feature was dropped mainly because of delegation problem. If I >> remember (and understand) correctly, using the underlying SSPI there >> seems no good way to acquire a FORWARDED ticket and send it to the >> middle server to perform delegation. I think maybe Microsoft restricts >> this so that you are always under the UAC umbrella, otherwise, a >> forwarded TGT might let you do much more it wants. >> >> This means if the client uses SSPI but the server uses pure Java, there >> is a loss of function, and I was not happy with this (4 years ago). >> >> This might change if pure Java Kerberos also supports constrained >> delegation. > > this is confusing. Why is a SPNEGO ticket sent by Firefox which is generated with SSPI forwardable then? I was happily able to perform to retrieve a service ticket for an Active Directory server on behalf of that user's GSSCredential and retrieve some data through LDAP. InitializeSecurityContext and ISCREQDELEGATE don't not do the job? Maybe I can look at it again. I remember the problem was about delegation. I am not sure now. I cannot determine when I can pick up the feature again. Sorry.
Thank you! That would be a viable contribution to the entire framework.
Michael
- Previous message (by thread): Patching bug 6722928/serious limitations of JGSS under Windows 7
- Next message (by thread): JDK 8 Code Review Request: 6500133/6931888: CertificateParsingException for CDP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]