RFR 8227437: S4U2proxy cannot continue because server's TGT cannot be found

Weijun Wang weijun.wang at oracle.com
Tue Jul 16 02:16:07 UTC 2019

Another thing.

Although we later found out more issues with the name change, this bug was originally filed on S4U2proxy, so I suggest we add a test for this purpose.

This can demonstrated with

private static void JAAS() throws Exception {
    Context c = Context.fromUserPass("normal", password, false);
    c.startAsClient("andrew", GSSUtil.GSS_KRB5_MECH_OID);
    Context s = Context.fromUserPass("drew", password, true);
    Context.handshake(c, s);

Here the principals are added as 

kdc1.addPrincipal("normal", password);
kdc1.addPrincipal("andrew", password);
kdc1.registerAlias("drew", "andrew@" + realmKDC1);

You can surely use your existing names/aliases.

Note: I cannot call 'c.startAsClient("drew", GSSUtil.GSS_KRB5_MECH_OID)' above because KDC.java does not support aliases in getPassword(). We can enhance this later if useful.


> On Jul 16, 2019, at 8:47 AM, Martin Balao <mbalao at redhat.com> wrote:
> http://cr.openjdk.java.net/~mbalao/webrevs/8227437/8227437.webrev.00/

More information about the security-dev mailing list