JDK-8149900 : Kerberos native credentials
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 8u73
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_8
  • CPU: x86
  • Submitted: 2016-02-06
  • Updated: 2017-09-29
  • Resolved: 2017-09-29
Related Reports
Duplicate :  
JDK-6576422 - Get service ticket from Windows LSA cache
Relates :  
JDK-8161921 - Windows 10 Credential Guard does not allow sharing of TGT with Java
Relates :  
JDK-6576422 - Get service ticket from Windows LSA cache
Description
FULL PRODUCT VERSION :
java version "1.8.0_71"
Java(TM) SE Runtime Environment (build 1.8.0_71-b15)
Java HotSpot(TM) Client VM (build 25.71-b15, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Windows

A DESCRIPTION OF THE PROBLEM :
A well known problem about performing Single Sign On (SSO) in a java client against a SPNEGO server is that the method acquireDefaultNativeCreds in class sun.security.krb5.Credentials is unable to retrieve native kerberos credentials. 

This happens because windows won't handle the encryptionKey and then the code in sun/security/krb5/NativeCreds.c will abort the credentials retrieval.

I'm not a security expert. But I wonder if this key is really always necessary to perform SSO. Isn't that for authentication porposes the Credentials with a null encryptionKey is OK?!?

Isn't the SPNEGO client java default implementation unnecessary hampered? Why browsers (Chrome/Firefox/IE) should be able to perform SSO and not a java client?

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try SSO against a SPNEGO Kerberos enabled server.


REPRODUCIBILITY :
This bug can be reproduced always.
Comments
This is something that may be addressed by JDK-6576422. Closing this record.
29-09-2017