JDK-8161921 : Windows 10 Credential Guard does not allow sharing of TGT with Java
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 8
  • Priority: P2
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows
  • CPU: x86_64
  • Submitted: 2016-07-20
  • Updated: 2019-11-22
  • Resolved: 2019-11-22
Related Reports
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Description
A DESCRIPTION OF THE REQUEST :
Windows 10 enhances its LSASS process by virtualization. This feature is called Credential Guard.

We are using Java SSO for an inhouse application and for Spark from IgniteRealtime with the known "hack" of allowtgtsessionkey as described on the following bug report:

Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work
https://bugs.openjdk.java.net/browse/JDK-8054026

Although this hack still works on Windows 10, our company security policy requires that we enable Credential Guard and once we do that, our Java applications are not allowed to have access to the tokens any more, thus blocking SSO.



JUSTIFICATION :
Credential Guard is implemented on Windows 10 and blocks Java from accessing credentials. 

This should be resolved as many applications will stop working.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The proper solution would be to properly support Microsoft Windows SSPI as requested here: 

https://bugs.openjdk.java.net/browse/JDK-6722928
ACTUAL -
The actual behavior is that the Java applications cannot have access to the TGT token effectively blocking the whole authentication process.

CUSTOMER SUBMITTED WORKAROUND :
The only workaround is to disable Credential Guard.


Comments
We are investigating this issue. JDK-6722928 is a possible solution.
07-03-2018