Thanks Michael. I haven't tried this code with AD but with FreeIPA Java is looking for the flags on the TGS-REP to be the same as in the TGS-REQ (which seems wrong to me since its only checking this on the s4u response, not a generic TGS-REQ I'm guessing this is a bug in Java's implementation). I'm working with the ApacheDS Kerby project to build S4U into their client API so hopefully I'll get that working shortly.
On Fri, Nov 20, 2015 at 1:09 PM, Michael Osipov <micha...@apache.org> wrote: > Am 2015-11-20 um 01:01 schrieb Marc Boorshtein: > >> >>> After you have successfully impersonated the user principal, perform your >>> >> HTTP request in a PriviledgedAction with Subject#doAs. That should do. >> >>> >>> Thanks Micahael. Ill give this a try. Which kerberos server did you try >> this against? I tried using another example with red hats ipa (I think >> it's built on MIT kerberos) and it didn't like the response tickets from >> the kdc since there were no flags being set. >> >> > Marc, > > I hope you have read this [1] and your environment satisfies the > requirements. > We have a very very large Active Directory installation at work. Though, I > did not try it. Some "wise guys" consider protocol transition as a security > concern/issue and won't allow to enable it. > > Regardless of this, having an impersonated ticket shouldn't be any > different than an original TGT or a delegated one. The usage flow is always > the same. In GSS-API, JGSS or SSPI. > > Michael > > [1] http://k5wiki.kerberos.org/wiki/Projects/Services4User > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > >
