[37988] in Kerberos
Kerberos with S4U2 extensions
daemon@ATHENA.MIT.EDU (Kishore Krishna M)
Mon May 22 10:58:24 2017
MIME-Version: 1.0
From: Kishore Krishna M <kishoremk@gmail.com>
Date: Mon, 22 May 2017 12:07:49 +0530
Message-ID: <CAG+a2LprchUUiAmD7-CfHaaGOznbCz-zTuVnaZP16Mq1pT19HQ@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
I am working on the below scenario:
Client1 interacts with Service1 which in turn interacts with Service 2. The
interaction with Service 2 should happen on behalf of Client1.
Authentication being used here is kerberos, and I have few issues in
explicitly setting the requestCredDelegation(true) on the client side. I
thought S4U2 self + S4U2 Proxy kerberos extensions could solve the issue.
These are the things I have done:
------------------------------
a) In the AD, On the Service1 account, enabled trusted delegation for
specific service.
b) In my Service1 java code, after the client <-> Server connection is
established: 1) I create the server credentials: serverCreds =
manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, krb5Oid,
GSSCredential.INITIATE_ONLY);;
2). Create the GSSName corresponding to the client GSSName other =
manager.createName(XXX, GSSName.NT_USER_NAME, krb5Oid);
3) GSSCredential clientcreds = ((ExtendedGSSCredential)
serverCreds).impersonate(other);
Impersonated client creds show up as:: [GSSCredential:
client@domain.COM 1.2.840.113554.1.2.2
Initiate [class sun.security.jgss.krb5.Krb5ProxyCredential]
client@domain.COM 1.3.6.1.5.5.2 Initiate [class sun.security.jgss.spnego.
SpNegoCredElement]]
4) Having the impersonated credential, I try to connect Service 1 to
Service 2, by creating the context :
GSSContext context = manager.createContext(serverName, krb5Oid,
impersonatedUserCredential, GSSContext.DEFAULT_LIFETIME); .......
context.initSecContext(token, 0, token.length);
I get an error of No Valid credentials found.
I have created a Subject from the impersonated Credentials and try to run a
privileged Action, but similar error shows up, no service ticket found in
the Subject.
I see that when a subject is created by passing in the Credentials,
Krb5ProxyCredential is being ignored,
"Skipped cred element: sun.security.jgss.krb5.Krb5ProxyCredential@7e0babb1"
Could somebody let me know, why are the Krb5ProxyCredentials being ignored
when creating a subject and the proxied request fails with missing
credentials and no service ticket found.
Thanks
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
