Is SPNEGO supposed to work out of the box on domain joined Windows client
Weijun Wang
weijun.wang at oracle.com
Thu Dec 12 00:42:29 UTC 2019
> On Dec 12, 2019, at 8:23 AM, Daniel Fuchs <daniel.fuchs at oracle.com> wrote:
>
> Hi,
>
> By default transparent authentication is disabled on windows.
> You may have to specify a non-default value for the
> jdk.http.ntlm.transparentAuth property [1], or configure
> an Authenticator [2] that has the appropriate credentials.
The above is for NTLM.
For the Negotiate scheme, it's almost out-of-box.
1. Java is able to find realm and KDC via environment variables
2. Java can use the LSA cache if a realm user is logged in
but you'll need a special registry key [1] set for #2 above.
Or you can bridge to a native GSS library, you need to set the system property sun.security.jgss.native to true. JDK 13 contains its own native GSS library but if you're still on JDK 11, you also need to point the system property sun.security.jgss.lib to a 3rd-party GSS library (Ex: from MIT).
--Max
[1] https://support.microsoft.com/en-us/help/2627903/access-to-session-keys-not-possible-using-a-restricted-token
>
> [1] https://bugs.openjdk.java.net/browse/JDK-8225506
> [2] https://docs.oracle.com/en/java/javase/13/docs/api/java.base/java/net/HttpURLConnection.html#setAuthenticator(java.net.Authenticator)
>
> best regards,
>
> -- daniel
>
> On 10/12/19 21:11, Marcin Wiśnicki wrote:
>> Forgive me for asking possibly silly question but I looked everywhere and couldn't find a simple answer to this question:
>> If I use standard java.net <http://java.net> classes to establish connection to HTTP server that uses SPNEGO authentication (AD) from a Windows machine that's joined to AD, without further configuration, is this supposed to work?
>
More information about the net-dev
mailing list