ymartin59
commented
7 years ago Hello. I only provided this code as a "client" proof of concept. I have to admit that I am not aware of server-side additional requirements for Java code to implement KCD.
Based on your description, I would say you should not use impersonation of a "new" GSSName with user login name, but delegation only, forwarding credentials received in GSSContext from client to the next hop.
You should find interesting methods at http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/5b20f3cd68b7/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
kishoremk
I am working on the below scenario:
Client1 interacts with Service1 which in turn interacts with Service 2. The interaction with Service 2 should happen on behalf of Client1. Authentication being used here is kerberos, and I have few issues in explicitly setting the requestCredDelegation(true) on the client side. I thought S4U2 self + S4U2 Proxy kerberos extensions could solve the issue.
These are the things I have done following the sample:
a) In the AD, On the Service1 account, enabled trusted delegation for specific service.
b) In my Service1 java code, after the client <-> Server connection is established: 1) I create the server credentials: serverCreds = manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, krb5Oid, GSSCredential.INITIATE_ONLY);;
2). Create the GSSName corresponding to the client GSSName other = manager.createName(XXX, GSSName.NT_USER_NAME, krb5Oid);
3) GSSCredential clientcreds = ((ExtendedGSSCredential)serverCreds).impersonate(other);
Impersonated client creds show up as:: [GSSCredential: client@domain.COM 1.2.840.113554.1.2.2 Initiate [class sun.security.jgss.krb5.Krb5ProxyCredential] client@domain.COM 1.3.6.1.5.5.2 Initiate [class sun.security.jgss.spnego.SpNegoCredElement]]
4) Having the impersonated credential, I try to connect Service 1 to Service 2, by creating the context :
GSSContext context = manager.createContext(serverName, krb5Oid, impersonatedUserCredential, GSSContext.DEFAULT_LIFETIME); ....... context.initSecContext(token, 0, token.length);
I get an error of No Valid credentials found. I have created a Subject from the impersonated Credentials and try to run a privileged Action, but similar error shows up, no service ticket found in the Subject.
I see that when a subject is created by passing in the Credentials, Krb5ProxyCredential is being ignored,
"Skipped cred element: sun.security.jgss.krb5.Krb5ProxyCredential@7e0babb1"
Could somebody let me know, why are the Krb5ProxyCredentials being ignored when creating a subject and the proxied request fails with missing credentials and no service ticket found errors.
Thanks