S4U2Self and OpenJDK 8

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Tue Dec 1 17:59:04 UTC 2015


Max,

Closing the loop on this.  It turns out that there was an extra step
needed to get the user in freeipa setup as a delegate (the
documentation was written for S4U2Proxy, not S4U2Self).  Once I set
that flag delegation started working for BOTH Java 8 and Java 9.

Thanks again.
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902


On Tue, Dec 1, 2015 at 11:23 AM, Marc Boorshtein
<marc.boorshtein at tremolosecurity.com> wrote:
> Hmm, I think you are right.  Here's what the Microsoft docs say "The
> S4U2proxy extension requires that the service ticket to the first
> service has the forwardable flag set (see Service 1 in the figure
> specifying Kerberos delegation with forwarded TGT, section 1.3.3).
> This ticket can be obtained through an S4U2self protocol exchange.".
> I'll followup with the folks at RedHat and FreeIPA.
>
> Thanks
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> (703) 828-4902
>
>
> On Mon, Nov 30, 2015 at 10:01 PM, Wang Weijun <weijun.wang at oracle.com> wrote:
>> It is my understanding that if the S4U2self ticket is not forwardable then it cannot be used in a S4U2proxy request. That's we just threw an exception. Am I wrong? Or you don't intend to use it this way?
>>
>> --Max
>>


More information about the security-dev mailing list