Patching bug 6722928/serious limitations of JGSS under Windows 7
1983-01-06 at gmx.net
1983-01-06 at gmx.net
Tue Aug 14 11:17:23 UTC 2012
>
> On 08/14/2012 06:35 PM, 1983-01-06 at gmx.net wrote:
> > Hi Weijun,
> >
> >> Hi Michael
> >>
> >> The feature was dropped mainly because of delegation problem. If I
> >> remember (and understand) correctly, using the underlying SSPI there
> >> seems no good way to acquire a FORWARDED ticket and send it to the
> >> middle server to perform delegation. I think maybe Microsoft restricts
> >> this so that you are always under the UAC umbrella, otherwise, a
> >> forwarded TGT might let you do much more it wants.
> >>
> >> This means if the client uses SSPI but the server uses pure Java, there
> >> is a loss of function, and I was not happy with this (4 years ago).
> >>
> >> This might change if pure Java Kerberos also supports constrained
> >> delegation.
> >
> > this is confusing. Why is a SPNEGO ticket sent by Firefox which is
> generated with SSPI forwardable then? I was happily able to perform to retrieve
> a service ticket for an Active Directory server on behalf of that user's
> GSSCredential and retrieve some data through LDAP. InitializeSecurityContext
> and ISC_REQ_DELEGATE don't not do the job?
>
> Maybe I can look at it again. I remember the problem was about
> delegation. I am not sure now.
>
> I cannot determine when I can pick up the feature again. Sorry.
Thank you! That would be a viable contribution to the entire framework.
Michael
More information about the security-dev
mailing list