Patching bug 6722928/serious limitations of JGSS under Windows 7
1983-01-06 at gmx.net
1983-01-06 at gmx.net
Tue Aug 14 10:35:31 UTC 2012
Hi Weijun,
> Hi Michael
>
> The feature was dropped mainly because of delegation problem. If I
> remember (and understand) correctly, using the underlying SSPI there
> seems no good way to acquire a FORWARDED ticket and send it to the
> middle server to perform delegation. I think maybe Microsoft restricts
> this so that you are always under the UAC umbrella, otherwise, a
> forwarded TGT might let you do much more it wants.
>
> This means if the client uses SSPI but the server uses pure Java, there
> is a loss of function, and I was not happy with this (4 years ago).
>
> This might change if pure Java Kerberos also supports constrained
> delegation.
this is confusing. Why is a SPNEGO ticket sent by Firefox which is generated with SSPI forwardable then? I was happily able to perform to retrieve a service ticket for an Active Directory server on behalf of that user's GSSCredential and retrieve some data through LDAP. InitializeSecurityContext and ISC_REQ_DELEGATE don't not do the job?
Would it suffice to aquire the CredHandle from AcquireCredentialsHandle and convert that to GSSCredential?
Disclaimer: I an not a C++ hacker nor I am experienced with SSPI. But strong with Kerberos on Java.
> BTW, when you say "a very good patch", have you compiled it and really
> find it useful? This patch was still in experimental status at the time
> of posting.
No, I did a code review. It looked very promising. At least way better that the current situation. Is there any chance to re-review that in 2012 with a new outcome?
Thanks for the quick response,
Mike
> On 08/14/2012 05:14 PM, 1983-01-06 at gmx.net wrote:
> > Hi folks,
> >
> > like many many other developers I have switched to Windows 7 on my
> machine. After hours of search I have realized that JGSS is seriously crippled
> due to UAC, account permissions and LSA's limitations.
> >
> > I have found the ticket 6722928 which has been filed more than 4 years
> ago. Suprisingly, Weijun Wang has already provided a very good patch [1] and
> nothing has happened since 2010.
> >
> > The current situation of Kerberos in Java on Windows 7 is very
> frustating from an enterprise point of view. I am convinced that I speak for the
> vast majority of devs and users who want to have native SSPI support on
> Windows with tampering with the registry, cred caches, ini files. Most even can't
> do because group policies don't allow it. Fortunately I can but since I am
> a local admin with a domain account, I am crippled too.
> >
> > Is there anything happening from the OpenJDK folks (Oracle JDK devs) for
> fix that issue anytime soon? This would bring the great Java platform on
> par with .NET's support of GSS-API/SSPI on Windows.
> >
> > Yours,
> >
> > Michael Osipov
> >
> > [1] http://cr.openjdk.java.net/~weijun/6722928/webrev.00/jdk.patch
> >
More information about the security-dev
mailing list