Closed wonboyn closed 8 years ago
Scratch that - the problem was the Kerberos config file I was using. Once I added forwardable = true to libdefaults it works fine.
Cheers
@wonboyn I am back about that old issue. From my point of view, setting forwardable=true
also creates a forwardable ticket for "javaservice" account TGT obtained from keytab.
According to this other issue #2, the proper option is to set ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
on service account in ActiveDirectory.
Hi there,
Thanks for providing this demo. Unfortunately I'm not having any luck getting it to work.
If I run it as is (changing the user & target SPN) I get an error advising it cannot obtain a password for the user (javax.security.auth.login.LoginException: Unable to obtain password from user).
If I change the principal from javaservice@DOMAIN to instead be HTTP/javaservice@DOMAIN the initial login proceeds but the code then fails with the following error:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!) at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:357) at sun.security.jgss.spnego.SpNegoCredElement.impersonate(SpNegoCredElement.java:94) at sun.security.jgss.GSSCredentialImpl.impersonate(GSSCredentialImpl.java:141) at sfudemo.KerberosDemo$1.run(KerberosDemo.java:104) at sfudemo.KerberosDemo$1.run(KerberosDemo.java:97) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at sfudemo.KerberosDemo.impersonate(KerberosDemo.java:97) at sfudemo.KerberosDemo.main(KerberosDemo.java:205) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:283) at java.lang.Thread.run(Thread.java:745) Caused by: KrbException: Invalid option setting in ticket request. (101) at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:165)
at sun.security.krb5.KrbTgsReq.(KrbTgsReq.java:100)
at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:66)
at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:463)
at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:353)
I'm running this using the Oracle 1.8.0_65 JDK against a Windows 2003 SP1 DC. Any assistance would be greatly appreciated.
Thanks
Tim