I try to do real SSO on a windows-client with a java-rich-client to an STS (Secure Token Service).
GSSAPI works but I need to at least do a java kinit in front of the call to aquire a TGT.
I tried a lot of different approaches until now and I'm still failing with my usecase: Real SSO with a Windows-only Java-Client.
Things I tried and work:
- Browser (Firefox, Chrome, IE..) everyone is working with Negotiate authorization header
- GSS-API if I manually do the java kinit before (allowtgt-registry entry isn't possible anymore because of active windows credential security)
Things I tried that don't work:
- Apache WinHttpClient
- Waffle
I think the flow is not important. The important part is the following:
- Request: GET /adfs/ls/wia?client-request-id=UUID
- Response: 401 WWW-Authenticate: Negotiate and NTLM
- Request: GET /adfs/ls/wia?client-request-id=UUID with header Authorization: Negotiate YIIMWw...
- Response: 401 WWW-Authenticate: Negotiate and NTLM
The code I use for waffle (Apache WinHttpClient does nearly the same) only differs from the working GSSAPI solution in these lines:
String SECURITY_PACKAGE = "Negotiate";
byte[] token = WindowsSecurityContextImpl.getCurrent(SECURITY_PACKAGE, "HTTP/mystsserver.my.domain").getToken();
String ticket = Base64.getEncoder().encodeToString(token);
String header = SECURITY_PACKAGE + " " + ticket;
The GSS-API ticket and the SSPI ticket are looking very similar with the same start and the same length but IIS rejects the second one.
My questions now are:
- How can I debug this special case on STS?
- How can I aquire a token via GSSAPI without calling kinit manually
- What am I doing wrong with waffle or WinHTTPClient?
Thanks a lot
