Vanilla Krb5LoginModule is working, prompting for creds
In my modest usage of JAAS -> JGSS -> Kerberos -> Windows
thus far, I have set up a Krb5LoginModule
When I do:
Subject.doAs(
new LoginContext(...)).login(), // subject
new MyPrivilegedAction() // action
)
... I am prompted for credentials, and the action is successful.
Using TGT Session Key hack, can avoid prompt for creds
If I also add useTicketCache=true
to the login module, and if I put up with the security hazards of setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\AllowTgtSessionKey=1
and don't use Windows 10 Credential Guard, then the action is successful without a prompt for credentials.
Java 12 gives us a default native GSS-API lib even on Windows
Java 11.0.10 introduced the possibility of using a native GSS-API implementation on Windows but did not provide a default implementation. Java 12 added a native implementation of GSS-API which bridged to the Windows SSPI. This avoids the need for the risky AllowTGTSessionKey
.
Using native GSS-API works too, prompting for creds
On Java 15.0.2 (both Oracle and OpenJDK) on Windows, despite the docs) still (now incorrectly) claiming, "There is no well-known native GSS-API library on Windows", I can:
- Omit
java.security.krb5.realm
andjava.security.krb5.kd
system properties (which I use in lieu of a full-blown kr5.conf, since my AD environment is simple); and - merely specify
sun.security.jgss.native=true
.
... and the action prompts for credentials, but is successful.
But native always prompts for credentials
Can I expect when using sun.security.jgss.native=true
(on JDK 15.0.2 on Windows) that JAAS -> JGSS -> Kerberos -> Windows
will attempt to use the Windows LSASS via the SSPI to obtain the credentials of the user executing the JVM? Or is this not something that the native GSS-API -> SSPI
library facilitates? Information is thin on the ground!
CallbackHandler
is invoked using native, it does correctly suggest my username ... it just isn't fetching my password from Windows the way it does when using pure-Java with theAllowTGTSessionKey
hack. – Elayneelazaro-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
or sthg similar? – Ditter