RFR 8022582: Relax response flags checking in sun.security.krb5.KrbKdcRep.check.

Wang Weijun weijun.wang at oracle.com
Thu Jan 15 04:10:17 UTC 2015

Hi All

Please review the code changes at


Sometimes a forwardable ticket request is sent but KDC returns a non-forwardable one. For example, in Windows, an account can be set as "sensitive and cannot be delegated". While it's possible to remove the "forwardable=true" line in krb5.conf to avoid the check failure, the file is global and maybe another account wants to be delegated. Therefore we just to relax the forwardable check.

KrbTgsReq is also modified so that one can get a service ticket when TGT is not forwardable.

One special case is S4U2self request, both the existing ticket and the expected ticket must be forwardable, and we fail early if one is not.

A new test simulates the "sensitive account" concept in Windows.


More information about the security-dev mailing list