JDK-6576422 : Get service ticket from Windows LSA cache
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Priority: P3
  • Status: Resolved
  • Resolution: Won't Fix
  • OS: generic
  • CPU: generic
  • Submitted: 2007-07-03
  • Updated: 2018-04-13
  • Resolved: 2018-03-07
Related Reports
Duplicate :  
JDK-8149900 - Kerberos native credentials
Relates :  
JDK-8161921 - Windows 10 Credential Guard does not allow sharing of TGT with Java
Relates :  
JDK-6587676 - Krb5LoginModule failure if useTicketCache=true on Vista
Relates :  
JDK-8149900 - Kerberos native credentials
Relates :  
JDK-4890398 - TGT should not be required if valid service ticket already available
Description
In order to get a service ticket, we need to send a TGS_REQ to KDC which is encrypted with the session key from the TGT. In recent versions of Windows, the session key in TGT is disabled by default (etype = 0), a registry key must be set to get it enabled. This RFE uses a native Win API to retrieve the service ticket without the registry setting.

See http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html
In Vista, when a user is in the local admin group, even if (s)he tries to add the allowtgtsessionkey registry entry and change the etype to non-zero, the key bytes are still zeroes. In this case, there's no workaround.
Comments
With MSSFU, maybe the delegation is no more a problem, at least not fatal.
19-03-2016
EVALUATION After a series of experiment, I decide to drop this RFE. With allowtgtsessionkey, the client can get a service ticket from the LSA with a non-zero session key, thus a normal communciation between the client and service is possible. But when the client wants to do delegation, the FORWARDED TGT still has zero session key. Although this ticket can be forwarded to the service, the service has no way to use it anymore. Therefore, the user experience using this approach is not complete.
04-05-2009
WORK AROUND Use the allowtgtsessionkey registry key mentioned in http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html Exception: See Description #2
06-11-2007