Bug ID: JDK-8005819 Support cross-realm MSSFU

JDK-8005819 : Support cross-realm MSSFU

Type: Enhancement
Component: security-libs
Sub-Component: org.ietf.jgss:krb5
Affected Version: 8,11

Priority: P4
Status: Resolved
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2013-01-07
Updated: 2021-07-07
Resolved: 2019-12-13

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 13	JDK 15	JDK 8	Other
11.0.12-oracleFixed	13.0.3Fixed	15 b02Fixed	8u301Fixed	openjdk8u252Fixed

Related Reports

Duplicate :	JDK-8256659 - Incorrect parsing of krb5 username
Relates :	JDK-8256659 - Incorrect parsing of krb5 username
Relates :	JDK-8270137 - Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup

Sub Tasks

JDK-8254596 :	Release Note: Support cross-realm MSSFU - Resolved
JDK-8254726 :	Release Note: Support for cross-realm MSSFU - Closed

Description

The kerberos client has partial support for the Microsoft MS-SFU extensions [1]. These extensions can be used by "middle services" to obtain a TGS (Ticket-Granting-Service) on behalf of a user principal, in a constrained delegation context. S4U2Self extension describes impersonation on the same "middle service" while S4U2Proxy on a "backend service".

In the S4U2Self case, current implementation requires the impersonated principal and the "middle service" to be in the same realm. S4U2Proxy has a similar requirement for the "backend service". As a result, cross-realm referrals (specified by this protocol extension [2] [3]) cannot be handled. See an example of a S4U2self communication on a multiple-realm context here [4].

The goal of this enhancement is to leverage on the support for Kerberos cross-realm referrals (introduced in the context of 8215032 [5]) and extend it to S4U2Self and S4U2Proxy.

Note: the absence of this enhancement was originally noticed in new tests introduced for JEP113. See original report below [6]. 
--
[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94
[2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/b2f8745f-5bd9-4c93-8a2b-ff4b95ed63eb
[3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/36a72c74-7995-4cba-a2d2-6c9471a2a6af
[4] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
[5] - https://bugs.openjdk.java.net/browse/JDK-8215032

[6] - The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons is part of the new tests for JEP113, Constrained delegation in Kerberos

Test Description: 
---------------------
client@REALM2 has established a kerberos context with krbservice1@REALM1 with delegcred=false,  krbservice1@REALM1 delegates to krbservice2@REALM1 using S4U2PROXY 
NOTE : S4U2PROXY  is within the same realm


The test jep113/MIT-AD2008-AD2008-Cons, jep113/SEAM-AD2008-AD2008-Cons fails with message : 
[2013-01-07T22:30:33.73] KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
[2013-01-07T22:30:33.73]        at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
[2013-01-07T22:30:33.73]        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
[2013-01-07T22:30:33.73]        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73]        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73]        at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73]        at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73]        at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73]        at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73]        at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73]        at Server.run(Server.java:147)
[2013-01-07T22:30:33.73]        at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
[2013-01-07T22:30:33.73]        ... 14 more
[2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
[2013-01-07T22:30:33.73]        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
[2013-01-07T22:30:33.73]        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73]        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73]        at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73]        at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73]        at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73]        at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73]        at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73]        at Server.run(Server.java:147)
[2013-01-07T22:30:33.73]        at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)
[2013-01-07T22:30:33.73]        at sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:460)
[2013-01-07T22:30:33.73]        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:694)
[2013-01-07T22:30:33.73]        ... 9 more
[2013-01-07T22:30:33.73] Caused by: KrbException: Identifier doesn't match expected value (906)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
[2013-01-07T22:30:33.73]        ... 14 more
[2013-01-07T22:30:33.73] GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
[2013-01-07T22:30:33.73]        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:767)
[2013-01-07T22:30:33.73]        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
[2013-01-07T22:30:33.73]        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
[2013-01-07T22:30:33.73]        at Krb5Initiator.establishSecurityContext(Krb5Initiator.java:132)
[2013-01-07T22:30:33.73]        at UseDelegatedCredAction.run(UseDelegatedCredAction.java:64)
[2013-01-07T22:30:33.73]        at java.security.AccessController.doPrivileged(Native Method)
[2013-01-07T22:30:33.73]        at javax.security.auth.Subject.doAsPrivileged(Subject.java:474)
[2013-01-07T22:30:33.73]        at Server.impersonateClient(Server.java:470)
[2013-01-07T22:30:33.73]        at Server.run(Server.java:147)
[2013-01-07T22:30:33.73]        at java.lang.Thread.run(Thread.java:722)
[2013-01-07T22:30:33.73] Caused by: KrbException: KDC cannot accommodate requested option (13)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
[2013-01-07T22:30:33.73]        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
[2013-01-07T22:30:33.73]        at sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:90)

Comments

Fix request (13u): The change applies cleanly, the prerequisite (fix for JDK-8215032) is already available in 13u.
19-03-2020
A bit premature for approval if this needs fixes not yet in 8u-dev. Let's wait until we're ready to push before approving to avoid confusion.
17-01-2020
Thanks for the 8u backport approval. I'll push after jdk8u242-b08 is merged to 8u-dev (currently in 8u), as this is a pre-requisite for this backport.
17-01-2020
I'm approving this for 8u as it seems an internal change only. Testing will show - particularly interested in TCK results - whether this will cause issues. We've had some recent troubles in 8u for the JDK-8215032 backport.
17-01-2020
Fix request (8u) Same reasoning than for 11u fix request. Patch applies cleanly to 8u (modulo paths) and regression tests under sun/security/krb5 pass. The risk assessment is not different than for 11u: reasonably low risk and no interfaces affected (changes are all Kerberos client internal).
17-01-2020
I think this can go into 11u. While I don't understand all the details, I don't see spec breaking changes and the fix seems local to the internal krb5 implementation. Approving.
17-01-2020
Fix request (11u) I wish we could have this enhancement backported to 11u in order to bring better MSSFU capabilities to OpenJDK's Kerberos client. In particular, cross-realm support. This has been requested by some OpenJDK users. This enhancement sits on top of "Support Kerberos cross-realm referrals (RFC 6806)" enhancement (JDK-8215032), who has been backported to 11u already. Patch applies cleanly and risk is reasonably low.
15-01-2020
URL: https://hg.openjdk.java.net/jdk/jdk/rev/a2b03207a7f9 User: mbalao Date: 2019-12-13 02:30:36 +0000
13-12-2019
Neither S4U2self nor S4U2proxy works cross-realm now, that is to say, all client, intermediate server, backend server must be in the same realm. Will consider support it after Kerberos referral is supported. At the moment, lower the priority to P4.
08-01-2013
Following are the tests failing in nightly JGSS/jep113/MIT-AD2008-AD2008-Cons JGSS/jep113/SEAM-AD2008-AD2008-Cons
07-01-2013