JDK-8054026 : Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86
  • Submitted: 2014-07-30
  • Updated: 2014-08-01
  • Resolved: 2014-08-01
Related Reports
Duplicate :  
JDK-6722928 - Provide a default native GSS-API library on Windows
Description
A DESCRIPTION OF THE REQUEST :
* Java desktop client requires Kerberos Windows registry setting AllowTGTSessionKey = 1 for Kerberos SSO with kerberized backend to work. AllowTGTSessionKey = 1 is against our security policy.
* Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response
* Java client fails to retrieve the requested Kerberos service ticket from the underlying Windows OS when requested via HTTP 401 challenge response 
* Underlying OS is Windows 7 Enterprise SP1 in combination with Java jre1.7.0_60_32bit 
* The AllowTGTSessionKey topic is discussed in countless articles and blogs. AllowTGTSessionKey = 1 makes problem go away but is against the security policy due to its inherent security risk 


JUSTIFICATION :
* Java should integrate with the native Windows SSPI so AllowTGTSessionKey = 1 is no longer necessary. 

* AllowTGTSessionKey = 1  is a security vulnerability by remote exploits

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
* java should integrate with native Windows SSPI to retrieve the required Kerberos service ticket.


ACTUAL -
Java client just errors out with "java.io.IOException: Server returned HTTP response code: 401 for URL ...." when receiving the HTTP 401 negotiate challenge from the kerberized backend

---------- BEGIN SOURCE ----------
package sun.net.www.protocol.http.spnego;

import java.io.IOException;

import sun.net.www.protocol.http.HttpCallerInfo;
import sun.net.www.protocol.http.Negotiator;
import waffle.windows.auth.impl.WindowsSecurityContextImpl;

public class NegotiatorImpl extends Negotiator {

private String serviceName;

public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
    this.serviceName = "HTTP/" + hci.host.toLowerCase();
}

    @Override
    public byte[] firstToken() throws IOException {
        return WindowsSecurityContextImpl.getCurrent("Negotiate", serviceName).getToken();
    }

    @Override
    public byte[] nextToken(byte[] in) throws IOException {
        return new byte[0];
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
* Either set AllowTGTSessionKey = 1 
 OR 
* Overwrite rt.jar class NegotiatorImpl which is part of package sun.net.www.protocol.http.spnego and provide waffle-jna.jar, jna-4.1.0.jar and jna-platform-4.1.0.jar to integrate with native Windows SSPI
Comments
Reporter is correct. Closed as a dup of JDK-6722928.
01-08-2014