> > On Apr 19, 2016, at 8:48 PM, Osipov, Michael > <[email protected]> wrote: > > > >>> Are there any plans to add referral support? > >> > >> Not yet. > >> > >>> Can we log this issue in bugs.openjdk.java.net/browse/JDK? > >> > >> You can always do that, but such a feature should be covered by a JEP. > > > > Only JDK devs have write access. All I can do is a bug report with > > http://bugreport.java.com/. A JEP can probably initiated by you or your > > colleagues. Even if, this probably won't make it into Java 9. > > There is another bug https://bugs.openjdk.java.net/browse/JDK-6631053 > which is about referral for client. I've just added a comment on server > and cross-realm routing.
I know this ticket and it does not describe what you think. This has nothing to do with canonicalize in KdcOptions and it won't solve the problem. Just tried that option on MIT Kerberos, no avail. This option applies to client principals only and is useful when you perform kinit with an enterprise principal. Back to the issue, in short, if you receive an LDAP referral from Active Directory, the URL contains not a hostname but a naming context name. For such a NC name does not exist a SPN, Kerberos will fail. Additional steps need to be taken to make it work. I am currently assessing how I can sovle this for us, because this is AD-specific. Of course, Oracle's support in extending their LDAP implementation would be awesome. If you'd like to know more about this, see [1] and [2]. > > In the meantime, can this be documented someone in the official docs > > of Oracle? > > The documentation for Kerberos in Java is at > > http://download.java.net/jdk9/docs/technotes/guides/security/jgss/jgss- > api-mechanism.html > > It has not listed RFC 6806. Exactly, that's the RFC I am talking about. Thank you for bringing this up. People once in while ask for client referrals on Stack Overflow [3], I'd rather see server referrals. Anyway, if you think that you or someone else will pick up this RFC, I'd be more than happy to test that. I have three forests, tens of domains to test and thousands of SPNs to test. Michael [1] http://mail.openjdk.java.net/pipermail/core-libs-dev/2016-April/040347.html [2] http://tomcatspnegoad.sf.net/referral-handling [3] http://stackoverflow.com/q/34398114/696632
