RFR 8005819: Support cross-realm MSSFU

Osipov, Michael michael.osipov at siemens.com
Tue Oct 29 15:35:30 UTC 2019


A few questions:

* In handleS4U2ProxyReferral():
> +        sname = new PrincipalName(PrincipalName.KRB_NT_PRINCIPAL,
> +                sname.getNameStrings(), sname.getRealm());

Why do you use here KRB_NT_PRINCIPAL? Is that the assumption that in AD 
all services are bound to regular accounts compared to MIT Kerberos?

client1 at REALM => HTTP/host at REALM where HTTP/host at REALM is bound to 
srv$@REALM => postgres/host2 at REALM and the transition is done with 
srv$@REALM?


Michael



More information about the security-dev mailing list