1

I have a requirement as follows:

Client1 interacts with Service1 which in turn interacts with Service 2. The interaction with Service 2 should happen on behalf of Client1. Authentication being used here is kerberos, and I have few issues in explicitly setting the requestCredDelegation(true) on the client side. I thought S4U2 self + S4U2 Proxy kerberos extensions could solve the issue.

These are the things I have done:

a) In the AD, On the Service1 account, enabled trusted delegation for specific service. I am not sure which service type should be selected, if the service2 is a simple java service and Service1 connects to Service2 through sockets. I selected "Host" as the service type.

b) In my Service1 java code, after the client <-> Server connection is established: 1) I create the server credentials: serverCreds = manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, krb5Oid, GSSCredential.INITIATE_ONLY);;

2). Create the GSSName corresponding to the client GSSName other = manager.createName(XXX, GSSName.NT_USER_NAME, krb5Oid);

3) GSSCredential clientcreds = ((ExtendedGSSCredential)serverCreds).impersonate(other);

Impersonated client creds show up as:: [GSSCredential: client@domain.COM 1.2.840.113554.1.2.2 Initiate [class sun.security.jgss.krb5.Krb5ProxyCredential] client@domain.COM 1.3.6.1.5.5.2 Initiate [class sun.security.jgss.spnego.SpNegoCredElement]]

Not sure why the SpNegoCredElement shows up, though i dont use that mechanism at all.

4) Having the impersonated credential, I try to connect Service 1 to Service 2, by creating the context :

GSSContext context = manager.createContext(serverName, krb5Oid, impersonatedUserCredential, GSSContext.DEFAULT_LIFETIME); ....... context.initSecContext(token, 0, token.length);

I get an error of No Valid credentials found.
I have created a Subject from the impersonated Credentials and try to run a privileged Action, but similar error shows up, no service ticket found in the Subject.

I see that when a subject is created by passing in the Credentials, Krb5ProxyCredential is being ignored,

"Skipped cred element: sun.security.jgss.krb5.Krb5ProxyCredential@7e0babb1"

Could somebody let me know, what i am missing here. thanks.

Krishna Mothukuri
  • 53
  • 4
  • Never use "Host" as the service type. – T-Heron May 11 '17 at 22:20
  • Thanks @T-Heron, but, i was not sure, what type does my Java service (listening on a specific port), quality for ? (does each of those standard service types expect a specific pattern in the SPN convention ?). – Krishna Mothukuri May 14 '17 at 16:09
  • Have you checked with Wireshark first? @T-Heron, why? What's wrong with `host` service class? – Michael-O Feb 03 '18 at 23:56
  • @Michael-O - I don't like to see 'host' used as a service class because the 'host' service represents the host computer which is no good to use in load-balancing scenarios. Because its limiting in that way I never recommend it. Typically, anything which starts to grow will eventually need to spread across multiple servers in a cluster or farm scenario and will need to use load-balancing. At least, this is my opinion of it. – T-Heron Feb 04 '18 at 01:36
  • @T-Heron, this makes sense, butI think the OP does not need to add even more complexity in the first place for a already complex setup. Start low and grow. Changing SPNs is very easy. – Michael-O Feb 05 '18 at 08:00
  • @Michael-O - agreed. – T-Heron Feb 05 '18 at 13:45
  • Hi Krishna, did you manage to get the solution? We are stuck at the same point. – Bhushan Karmarkar Jul 11 '19 at 10:21

0 Answers0