hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Osipov <micha...@apache.org>
Subject Re: Using kerberos + s4u2self/s4u2proxy + apache http client
Date Fri, 20 Nov 2015 20:18:00 GMT
Am 2015-11-20 um 20:14 schrieb Marc Boorshtein:
> Thanks Michael.  I haven't tried this code with AD but with FreeIPA Java is
> looking for the flags on the TGS-REP to be the same as in the TGS-REQ
> (which seems wrong to me since its only checking this on the s4u response,
> not a generic TGS-REQ I'm guessing this is a bug in Java's
> implementation).  I'm working with the ApacheDS Kerby project to build S4U
> into their client API so hopefully I'll get that working shortly.

Did the service pricipal properly issue a TGS-REQ with PA-FOR-USER [1]?

https://msdn.microsoft.com/en-us/library/cc246089.aspx

I woud seriously recommend to set up a VM network with most recent MIT 
Kerberos and make it work. If it does work, start from here. Otherwise 
it can be very hard to tackle down the root cause of the incomplete 
requests.

You might also contact security-dev@openjdk. Weijun Wang is one of the 
devs I already had contact with.

Michael

> On Fri, Nov 20, 2015 at 1:09 PM, Michael Osipov <michaelo@apache.org> wrote:
>
>> Am 2015-11-20 um 01:01 schrieb Marc Boorshtein:
>>
>>>
>>>> After you have successfully impersonated the user principal, perform your
>>>>
>>> HTTP request in a PriviledgedAction with Subject#doAs. That should do.
>>>
>>>>
>>>> Thanks Micahael. Ill give this a try. Which kerberos server did you try
>>> this against?  I tried using another example with red hats ipa (I think
>>> it's built on MIT kerberos) and it didn't like the response tickets from
>>> the kdc since there were no flags being set.
>>>
>>>
>> Marc,
>>
>> I hope you have read this [1] and your environment satisfies the
>> requirements.
>> We have a very very large Active Directory installation at work. Though, I
>> did not try it. Some "wise guys" consider protocol transition as a security
>> concern/issue and won't allow to enable it.
>>
>> Regardless of this, having an impersonated ticket shouldn't be any
>> different than an original TGT or a delegated one. The usage flow is always
>> the same. In GSS-API, JGSS or SSPI.
>>
>> Michael
>>
>> [1] http://k5wiki.kerberos.org/wiki/Projects/Services4User
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message