OpenJDK 8u302 - Kerberos - Allow non-forwardable S4U2Self ticket
Vipul Mehta
vipulmehta.1989 at gmail.com
Fri Jul 30 10:04:51 UTC 2021
Hi,
Resource based constrained delegation support was added to JDK via
following fix: https://bugs.openjdk.java.net/browse/JDK-8005819
This change does not allow S4U2Self ticket issued by KDC to be
non-forwardable, as
sun.security.krb5.internal.CredentialsUtil -> acquireS4U2selfCreds() ->
line 105 throws exception.
Resource based constrained delegation S4U2Proxy will work even without a
non forwardable S4U2Self ticket if KDC is configured to accept such a
ticket. So, Java should let KDC decide whether to accept or reject such a
ticket.
S4U2Self ticket will be marked as forwardable by microsoft KDC in following
cases:
1) trustedToAuthForDelegation is true
2) trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
empty.
If trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is
non-empty then S4U2Self ticket will not have a forwardable flag.
The S4U2Self ticket is used in S4U2Proxy TGS-Request.
If S4U2Self ticket is not forwardable then S4U2Proxy will work in following
cases of single realm resource based constrained delegation:
1) Patch for CVE-2020-16996 is not applied in KDC.
2) Patch for CVE-2020-16996 is applied in KDC and registry entry -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\NonForwardableDelegation
is set to 1. (DWORD type)
--
Regards,
Vipul
More information about the jdk8u-dev
mailing list