JDK-8046103 : JEP 113: MS-SFU Kerberos 5 Extensions
  • Type: JEP
  • Component: security-libs
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • Fix Versions: 8
  • Submitted: 2011-04-22
  • Updated: 2015-02-12
  • Resolved: 2015-02-12
Related Reports
Relates :  
JDK-6355584 - introduce constrained Kerberos delegation
Description
Summary
-------

Add the [MS-SFU extensions][1] to the JDK's Kerberos 5 implementation.


Goals
-----

  1. Implement the MS-SFU S4U2self protocol
  2. Implement the MS-SFU S4U2proxy protocol
  3. Make sure the implementation is interoperable with current MS and MIT
     implementations.


Motivation
----------

In a typical network service, the front-end (say, a web server) often
needs to access the back-end (say, a database server) on behalf of the
client. [Kerberos 5][2] supports delegation but demands all layers using
Kerberos. In some cases, the authentication between the client and the
front-end is not performed in Kerberos (for example, client logs in to a
web server using digest authentication), and there are no Kerberos
credentials to be delegated. Microsoft defines the Service for User
(S4U) extension so that the front-end can still access the back-end on
behalf of the client without the client's credentials.

Also, with the standard Kerberos 5 delegation (which Microsoft calls
open delegation), once you grant a service account an ability to
delegate it can delegate to any service at all. This means that one
needs to be very careful with this privilege. On the other hand, the
MS-SFU delegation (Microsoft calls it constrained delegation) is much
more secure. Here the administrator can precisely control which services
a particular service can delegate to.

Microsoft started using S4U since Windows Server 2003, and the feature
is also supported by MIT Kerberos 5 implementation recently (in krb5-1.8).


Description
-----------

S4U includes two extensions to the original Kerberos Protocol defined in
RFC 4120: Service-for-User-to-Self (S4U2self) which allows a  front-end
service to obtain a Kerberos service ticket to itself on  behalf of a
user, and Service-for-User-to-Proxy (S4U2proxy), which enables it to
obtain a service ticket on behalf of the user to a second, back-end service.

Collectively, these two extensions enable the front-end service to
obtain a Kerberos service ticket on behalf of a user. The resulting
service ticket can be used for:

- The requesting service's own information.
- Access control local to the service's machine, impersonating the user.
- Requests to some other service, impersonating the user.


We'll provide some new public JGSS-API to support this feature. New
config files and/or system properties are also likely to be added.


Alternatives
------------

We can also enhance the native JGSS provider to make use of existing S4U
feature from a native Kerberos implementation.


Testing
-------

1. Functional tests inside JDK. S4U support for the test KDC
2. Interop test with Microsoft Active Directory and MIT's Kerberos 5
implementation.


Impact
------

  - JCP: no impact on JCP
  - Other JDK components: no impact on other JDK components
  - Compatibility: minimal
  - Security: no impact on security
  - Portability: no impact on portability
  - User Interface: no graphic user interface
  - CCC: New JGSS-API, most likely new methods for GSSContext,
    possibly new config file and system properties
  - Documentation: New doc/tutorial in the JGSS section
  - Internationalization: minimal impact, likely to add new error  messages
  - Localization: minimal impact, likely to add new error messages
  - Legal: MS-SFU is published under the [Microsoft Open Specification][3]
  - Other: no known other impact


[1]: http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx
[2]: http://tools.ietf.org/html/rfc4120
[3]: http://www.microsoft.com/openspecifications/