Patching bug 6722928/serious limitations of JGSS under Windows 7

Weijun Wang weijun.wang at oracle.com
Tue Aug 14 10:59:35 UTC 2012 


On 08/14/2012 06:35 PM, 1983-01-06 at gmx.net wrote:
> Hi Weijun,
>
>> Hi Michael
>>
>> The feature was dropped mainly because of delegation problem. If I
>> remember (and understand) correctly, using the underlying SSPI there
>> seems no good way to acquire a FORWARDED ticket and send it to the
>> middle server to perform delegation. I think maybe Microsoft restricts
>> this so that you are always under the UAC umbrella, otherwise, a
>> forwarded TGT might let you do much more it wants.
>>
>> This means if the client uses SSPI but the server uses pure Java, there
>> is a loss of function, and I was not happy with this (4 years ago).
>>
>> This might change if pure Java Kerberos also supports constrained
>> delegation.
>
> this is confusing. Why is a SPNEGO ticket sent by Firefox which is generated with SSPI forwardable then? I was happily able to perform to retrieve a service ticket for an Active Directory server on behalf of that user's GSSCredential and retrieve some data through LDAP. InitializeSecurityContext and ISC_REQ_DELEGATE don't not do the job?

Maybe I can look at it again. I remember the problem was about 
delegation. I am not sure now.

I cannot determine when I can pick up the feature again. Sorry.

-Weijun

>
> Would it suffice to aquire the CredHandle from AcquireCredentialsHandle and convert that to GSSCredential?
>
> Disclaimer: I an not a C++ hacker nor I am experienced with SSPI. But strong with Kerberos on Java.
>
>> BTW, when you say "a very good patch", have you compiled it and really
>> find it useful? This patch was still in experimental status at the time
>> of posting.
>
> No, I did a code review. It looked very promising. At least way better that the current situation. Is there any chance to re-review that in 2012 with a new outcome?
>
> Thanks for the quick response,
>
> Mike
>
>> On 08/14/2012 05:14 PM, 1983-01-06 at gmx.net wrote:
>>> Hi folks,
>>>
>>> like many many other developers I have switched to Windows 7 on my
>> machine. After hours of search I have realized that JGSS is seriously crippled
>> due to UAC, account permissions and LSA's limitations.
>>>
>>> I have found the ticket 6722928 which has been filed more than 4 years
>> ago. Suprisingly, Weijun Wang has already provided a very good patch [1] and
>> nothing has happened since 2010.
>>>
>>> The current situation of Kerberos in Java on Windows 7 is very
>> frustating from an enterprise point of view. I am convinced that I speak for the
>> vast majority of devs and users who want to have native SSPI support on
>> Windows with tampering with the registry, cred caches, ini files. Most even can't
>> do because group policies don't allow it. Fortunately I can but since I am
>> a local admin with a domain account, I am crippled too.
>>>
>>> Is there anything happening from the OpenJDK folks (Oracle JDK devs) for
>> fix that issue anytime soon? This would bring the great Java platform on
>> par with .NET's support of GSS-API/SSPI on Windows.
>>>
>>> Yours,
>>>
>>> Michael Osipov
>>>
>>> [1] http://cr.openjdk.java.net/~weijun/6722928/webrev.00/jdk.patch
>>>
>

More information about the security-dev mailing list