Hi Sunny
If I understand correctly, the major difference between SSPI and GSS-API
is delegation. In GSS-API, the client initiates the delegation by
forwarding a credential to the intermediate server so the latter can use
this delegated credential to access a backend server on behalf of the
client. In SSPI, the intermediate server itself asks the KDC (Active
Directory Domain Server) whether it can impersonate a client to access
the backend server. Microsoft calls it constrained delegation.
Java supports both traditional delegation and constrained delegation,
but if we add SSPI as a JGSS-API provider, it can only support
constrained delegation.
Implementing SSPI requires quite a lot of coding, including both Java
and C codes. There will also be quite some testing work.
A partial solution is to only support Windows' native service ticket
retrieval. This means we can bypass the TGT (where AllowTGTSessionKey is
needed) and acquire a service ticket directly. After this ticket is
available, we still use the current Java codes to access the service.
This solution also won't support traditional delegation.
There is no decision yet.
Any contribution is welcomed.
Thanks
Weijun
On 04/10/2017 12:46 PM, Chan, Sunny wrote:
Hello,
Windows has changed the default such that the session key is not
included in TGT, and for Windows SSO to work with Java implementation
out of the box it will required AllowTGTSessionKey options to be added
to the registry. However, this options has associated security risk as
it expose the session key to all apps, and it also means that right now
Kerberos SSO in Windows does not work out of the box
Looking at the Java bug database, there has been suggestion that Java
could support SSPI as a JGSS-API provided which would allow Java to work
out of the box without the AllowTGTSessionKey options.
(http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6722928). However,
in the evaluation it says:
Might support it, although I hope most of the functions of Windows SSPI
can also be supported by pure Java. Interop is important between
different platforms
I would like to understand what is the “Interop” concern here? Have we
evaluated how much work need to do to support it (so that we can
consider contributing the implementation)?
*Sunny Chan*
Executive Director
Technology
*Goldman Sachs (Asia) L.L.C.*| 39th Floor | The Center | 99 Queens Road
Central | Hong Kong
Email: sunny.c...@gs.com | Tel: +852 2978 6481 | Fax: +852 2978 0633
