search

ymartin59 / java-kerberos-sfudemo

Java 8 Kerberos MS-SFU Demonstration Code
Apache License 2.0
13 stars 8 forks source link

Known issue in Java 8: TGS ticket generated by S4U2self is not forwardable #2

Closed ymartin59 closed 8 years ago

ymartin59 commented 8 years ago

When invoking "impersonate", the TGS ticket generated does not have the forwardable flag set, preventing a target service called after S4U2proxy to invoke yet-another-hope with a second S4U2proxy...

Reported issue at http://comments.gmane.org/gmane.linux.redhat.freeipa.user/19481 Patch included for JDK 9: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f

ymartin59 commented 8 years ago

In fact this report is wrong - mistake was in server kerberos configuration, as usual.

With both Java 8 and 9, "impersonate" works properly and produce tickets that can be used to query TGS for another hop.

hank345 commented 8 years ago

Hi Yves, Is there any chance you know what their configuration mistake were? I'm trying to run your example (Java 1.8 u74) and I get this:

Caused by: KrbException: Message stream modified (41) KrbKdcRep.check: at #1. request for true, received false

I have web service which do SPNEGO authentication, and know I want to do constrained delegation to a backend service (Constrained delegation is configured under the "Delegation tab" in AD).

login.txt krb5.txt

hank345 commented 8 years ago

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION userAccountControl bit needs to be set for the service account! Setting this flag solved my problems.

Flag described here: https://msdn.microsoft.com/en-us/library/cc223145.aspx

ymartin59 commented 8 years ago

Hello This is strange that the flag is unset on your service account. I have to confirm but I expect this flag to be set when invoking "ktpass" to generate keytab used to establish "trust" between your Java process and ActiveDirectory (keytab file is used instead of password to preauthenticate service)

vijaysr commented 5 years ago

Does the ExtendedGSSCredential::impersonate method support the resource based KCD? With resource based KCD, we don't set this TrustedToAuthForDelegation attribute. Only the PrincipalsAllowedToDelegateToAccount is set.

When I tried it, I get the following error.

Caused by: KrbException: S4U2self ticket must be FORWARDABLE at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:356)

bhushan1987 commented 5 years ago

On my service account, the flag - ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is set correctly. Still I am getting this error - "S4U2self needs a FORWARDABLE ticket"

ymartin59, how did you manage to solve this issue?

ymartin59 commented 5 years ago

@vijaysr @bhushan1987 Please check your TGS (on your workstation) has "forwardable" flag set You may use klist -ef on Linux or kerbtray on Windows to do so.

bhushan1987 commented 5 years ago

Thanks, but the flag ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is set on the service account to whom the SPN is attached.

bhushan1987 commented 5 years ago

I figured out the solution. You need to set the JAAS config file in the system path. Then only the ticket obtained from the keytab is "forwardaable". Surprisingly, this is not mentioned anywhere clearly. System.setProperty("java.security.krb5.conf", ""); Also make sure you have mentioned "forwardable = true" in your JAAS config file. Pasting example config file below:

[libdefaults] default_realm = DOMAIN.COM default_tkt_enctypes = aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tgs_enctypes = aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 dns_lookup_kdc = true dns_lookup_realm = false forwardable = true

[realms]
    DOMAIN.COM = {
        kdc = KDC_HOST.DOMAIN.COM
        admin_server = KDC_HOST.DOMAIN.COM
        default_domain = DOMAIN.COM
    }

[domain_realms]
    domain.com = DOMAIN.COM
    .domain.com = DOMAIN.COM
ymartin59 commented 5 years ago

This file is not JAAS configuration file but krb5.conf file used by native kerberos library https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html. There is no need to set system property java.security.krb5.conf if you already configured /etc/krb5.conf on Unix or C:\Windows\krb5.ini on windows.

From my point of view, there is no need for "servicelogin" TGT to be forwardable, as answered at https://stackoverflow.com/a/57087305/737790

ymartin59 commented 5 years ago

@vijaysr Please do not comment on a closed issue - I am not sure your question is really related to - your question is interesting, may you please create a new dedicated issue about it.

Does the ExtendedGSSCredential::impersonate method support the resource based KCD? With resource based KCD, we don't set this TrustedToAuthForDelegation attribute. Only the PrincipalsAllowedToDelegateToAccount is set.

When I tried it, I get the following error.

Caused by: KrbException: S4U2self ticket must be FORWARDABLE at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:75) at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:356)