On 08/14/2012 06:35 PM, [email protected] wrote:
Hi Weijun,
Hi Michael
The feature was dropped mainly because of delegation problem. If I
remember (and understand) correctly, using the underlying SSPI there
seems no good way to acquire a FORWARDED ticket and send it to the
middle server to perform delegation. I think maybe Microsoft restricts
this so that you are always under the UAC umbrella, otherwise, a
forwarded TGT might let you do much more it wants.
This means if the client uses SSPI but the server uses pure Java, there
is a loss of function, and I was not happy with this (4 years ago).
This might change if pure Java Kerberos also supports constrained
delegation.
this is confusing. Why is a SPNEGO ticket sent by Firefox which is generated
with SSPI forwardable then? I was happily able to perform to retrieve a service
ticket for an Active Directory server on behalf of that user's GSSCredential
and retrieve some data through LDAP. InitializeSecurityContext and
ISC_REQ_DELEGATE don't not do the job?
Maybe I can look at it again. I remember the problem was about
delegation. I am not sure now.
I cannot determine when I can pick up the feature again. Sorry.
-Weijun
Would it suffice to aquire the CredHandle from AcquireCredentialsHandle and
convert that to GSSCredential?
Disclaimer: I an not a C++ hacker nor I am experienced with SSPI. But strong
with Kerberos on Java.
BTW, when you say "a very good patch", have you compiled it and really
find it useful? This patch was still in experimental status at the time
of posting.
No, I did a code review. It looked very promising. At least way better that the
current situation. Is there any chance to re-review that in 2012 with a new
outcome?
Thanks for the quick response,
Mike
On 08/14/2012 05:14 PM, [email protected] wrote:
Hi folks,
like many many other developers I have switched to Windows 7 on my
machine. After hours of search I have realized that JGSS is seriously crippled
due to UAC, account permissions and LSA's limitations.
I have found the ticket 6722928 which has been filed more than 4 years
ago. Suprisingly, Weijun Wang has already provided a very good patch [1] and
nothing has happened since 2010.
The current situation of Kerberos in Java on Windows 7 is very
frustating from an enterprise point of view. I am convinced that I speak for the
vast majority of devs and users who want to have native SSPI support on
Windows with tampering with the registry, cred caches, ini files. Most even
can't
do because group policies don't allow it. Fortunately I can but since I am
a local admin with a domain account, I am crippled too.
Is there anything happening from the OpenJDK folks (Oracle JDK devs) for
fix that issue anytime soon? This would bring the great Java platform on
par with .NET's support of GSS-API/SSPI on Windows.
Yours,
Michael Osipov
[1] http://cr.openjdk.java.net/~weijun/6722928/webrev.00/jdk.patch
