Java 8 kerberos constrained delegation

Question

Is there any example on how to do constrained delegation with Java 8/7. I tried searching around with no luck

Best Regards

I've summarized all the necessary details here: https://stackoverflow.com/a/57377671/1471779 — Bhushan Karmarkar, Aug 06 '19 at 13:55

Yves Martin · Answer 1 · 2019-07-19T07:43:21.743

1

Here is the Java 8 code snippet that allows to generate a SPNEGO token with TGS ticket for an impersonated user:

GSSManager manager = GSSManager.getInstance();
GSSName userName = manager.createName("targetUser", GSSName.NT_USER_NAME);
GSSCredential impersonatedUserCreds =
  ((ExtendedGSSCredential)serviceCredentials).impersonate(userName);

final Oid KRB5_PRINCIPAL_OID = new Oid("1.2.840.113554.1.2.2.1");
GSSName servicePrincipal =
  manager.createName("HTTP/webservice-host.domain.ltd", KRB5_PRINCIPAL_OID);
ExtendedGSSContext extendedContext =
  (ExtendedGSSContext) manager.createContext(servicePrincipal,
                                             new Oid("1.3.6.1.5.5.2"),
                                             impersonatedUserCreds,
                                             GSSContext.DEFAULT_LIFETIME);
final byte[] token = extendedContext.initSecContext(new byte[0], 0, 0);

Beware extendedContext is not established yet. Multiple rounds with server may be required.

A simple demonstration code is available at https://github.com/ymartin59/java-kerberos-sfudemo

You may also refer to the follow project code: https://github.com/tellisnz/collared-kerberos

edited Jul 19 '19 at 07:43

answered Nov 10 '15 at 21:15

Yves Martin

10,217
2
38
77

I am getting - KDC cannot accommodate requested option (13) any idea? – Bhushan Karmarkar Jul 11 '19 at 07:56
It works only when protocol transition is allowed. Fails when "Use kerberos only" option is selected. – Bhushan Karmarkar Jul 17 '19 at 10:47
That is expected. The ActiveDirectory option "Use kerberos only" concerns "Kerberos V5 delegation" where end-user TGT is flagged as forwardable - which may lead to security issues. That is exactly the point of Kerberos Constraint Delegation creation where end-user TGT no longer needs to be forwardable: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/bde93b0e-f3c9-4ddf-9f44-e1453be7af5a – Yves Martin Jul 18 '19 at 05:21
So to sumup, "Use kerberos only" option does not allow Kerberos Constraint Delegation where ActiveDirectory expects you list all resources the service is expected to request TGS for. – Yves Martin Jul 18 '19 at 05:41
I am talking about the case of constrained delegation only. Under "Trust this user for delegation to specified service only", you can see two options. "Use Kerberos Only" and "Use any authentication protocol" (aka protocol transition) Your solution works for protocol transition only. For "Kerberos Only" setting, you need to get TGS for another service using user's TGS for current service. That is not covered in the sample code. – Bhushan Karmarkar Jul 18 '19 at 06:50
Correct, sample code does two steps: impersonation and then "delegation". If code has already received Kerberos/SPNEGO context in JAAS Subject, second step may work as-is. Again "Use Kerberos only" requires user TGT to be forwardable (as Kerberos V5 delegation) which has security risks. Kerberos Constrained Delegation requires to specify target SPN in "Trust this computer for delegation to specified services only" to allow trusted service account to request new TGS from received user's TGS. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739740(v=ws.10) – Yves Martin Jul 19 '19 at 11:35
"If code has already received Kerberos/SPNEGO context in JAAS Subject, second step may work as-is" --> Do you mean instead of obtaining impersonated credentials, i should directly call for get service ticket for service 2? – Bhushan Karmarkar Jul 19 '19 at 11:59
Exactly. With only service1-TGS in context (when end-user TGT is not forwarded), Java Kerberos stack should trigger S4U2Proxy (aka Constrained Delegation) to obtain "service2-TGS" as far as "service2" SPN is allowed in service1 account (section Trust this computer for delegation to specified services only) – Yves Martin Jul 21 '19 at 12:39
Here is what i've done - 0) Constrained delegation with "Kerberos only" is set (1) Perform Login using service 1 credentials (2) Accept kerberos ticket from user using "service1context.acceptSecContext" (3) Then we are trying to get TGS for service 2 using "service1Context.initSecContext" (4) What is received is TGS of service 2 for service1user instead of end user.... It will be really helpful if you can provide any sample code or pointers where i can get the sample code. – Bhushan Karmarkar Jul 22 '19 at 07:05
I am struggling on point #6 of figure 2 in following link - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/1fb9caca-449f-4183-8f7a-1a5fc7e7290a – Bhushan Karmarkar Jul 22 '19 at 07:05
OK. I made mistakes because Active Directory has two "Kerberos only" options (https://support.microsoft.com/en-hk/help/4494313/configuring-web-enrollment-proxy-for-s4u2proxy-constrained-delegation). For an double-hop example you describe, I recommend to refer to https://github.com/tellisnz/collared-kerberos – Yves Martin Aug 04 '19 at 09:13
Finally got the success !! I've summarized here: https://stackoverflow.com/a/57377671/1471779 – Bhushan Karmarkar Aug 06 '19 at 14:05

Java 8 kerberos constrained delegation

1 Answers1