Re: Using kerberos + s4u2self/s4u2proxy + apache http client

Fri, 20 Nov 2015 12:18:54 -0800 

Am 2015-11-20 um 20:14 schrieb Marc Boorshtein:

Thanks Michael.  I haven't tried this code with AD but with FreeIPA Java is
looking for the flags on the TGS-REP to be the same as in the TGS-REQ
(which seems wrong to me since its only checking this on the s4u response,
not a generic TGS-REQ I'm guessing this is a bug in Java's
implementation).  I'm working with the ApacheDS Kerby project to build S4U
into their client API so hopefully I'll get that working shortly.


Did the service pricipal properly issue a TGS-REQ with PA-FOR-USER [1]?

https://msdn.microsoft.com/en-us/library/cc246089.aspx


I woud seriously recommend to set up a VM network with most recent MIT 
Kerberos and make it work. If it does work, start from here. Otherwise 
it can be very hard to tackle down the root cause of the incomplete 
requests.



You might also contact security-dev@openjdk. Weijun Wang is one of the 
devs I already had contact with.


Michael


On Fri, Nov 20, 2015 at 1:09 PM, Michael Osipov <micha...@apache.org> wrote:


Am 2015-11-20 um 01:01 schrieb Marc Boorshtein:




After you have successfully impersonated the user principal, perform your


HTTP request in a PriviledgedAction with Subject#doAs. That should do.



Thanks Micahael. Ill give this a try. Which kerberos server did you try

this against?  I tried using another example with red hats ipa (I think
it's built on MIT kerberos) and it didn't like the response tickets from
the kdc since there were no flags being set.



Marc,

I hope you have read this [1] and your environment satisfies the
requirements.
We have a very very large Active Directory installation at work. Though, I
did not try it. Some "wise guys" consider protocol transition as a security
concern/issue and won't allow to enable it.

Regardless of this, having an impersonated ticket shouldn't be any
different than an original TGT or a delegated one. The usage flow is always
the same. In GSS-API, JGSS or SSPI.

Michael

[1] http://k5wiki.kerberos.org/wiki/Projects/Services4User



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org







---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org























					Reply via email to