Hi Weijun, > Hi Michael > > The feature was dropped mainly because of delegation problem. If I > remember (and understand) correctly, using the underlying SSPI there > seems no good way to acquire a FORWARDED ticket and send it to the > middle server to perform delegation. I think maybe Microsoft restricts > this so that you are always under the UAC umbrella, otherwise, a > forwarded TGT might let you do much more it wants. > > This means if the client uses SSPI but the server uses pure Java, there > is a loss of function, and I was not happy with this (4 years ago). > > This might change if pure Java Kerberos also supports constrained > delegation.
this is confusing. Why is a SPNEGO ticket sent by Firefox which is generated with SSPI forwardable then? I was happily able to perform to retrieve a service ticket for an Active Directory server on behalf of that user's GSSCredential and retrieve some data through LDAP. InitializeSecurityContext and ISC_REQ_DELEGATE don't not do the job? Would it suffice to aquire the CredHandle from AcquireCredentialsHandle and convert that to GSSCredential? Disclaimer: I an not a C++ hacker nor I am experienced with SSPI. But strong with Kerberos on Java. > BTW, when you say "a very good patch", have you compiled it and really > find it useful? This patch was still in experimental status at the time > of posting. No, I did a code review. It looked very promising. At least way better that the current situation. Is there any chance to re-review that in 2012 with a new outcome? Thanks for the quick response, Mike > On 08/14/2012 05:14 PM, [email protected] wrote: > > Hi folks, > > > > like many many other developers I have switched to Windows 7 on my > machine. After hours of search I have realized that JGSS is seriously crippled > due to UAC, account permissions and LSA's limitations. > > > > I have found the ticket 6722928 which has been filed more than 4 years > ago. Suprisingly, Weijun Wang has already provided a very good patch [1] and > nothing has happened since 2010. > > > > The current situation of Kerberos in Java on Windows 7 is very > frustating from an enterprise point of view. I am convinced that I speak for > the > vast majority of devs and users who want to have native SSPI support on > Windows with tampering with the registry, cred caches, ini files. Most even > can't > do because group policies don't allow it. Fortunately I can but since I am > a local admin with a domain account, I am crippled too. > > > > Is there anything happening from the OpenJDK folks (Oracle JDK devs) for > fix that issue anytime soon? This would bring the great Java platform on > par with .NET's support of GSS-API/SSPI on Windows. > > > > Yours, > > > > Michael Osipov > > > > [1] http://cr.openjdk.java.net/~weijun/6722928/webrev.00/jdk.patch > >
