JGSS fails with KrbException: Message stream modified (41) on cross-realm intermediate/unexpected TGT

Osipov, Michael michael.osipov at siemens.com
Tue Apr 19 20:35:02 UTC 2016


> > On Apr 19, 2016, at 8:48 PM, Osipov, Michael
> <michael.osipov at siemens.com> wrote:
> >
> >>> Are there any  plans to add referral support?
> >>
> >> Not yet.
> >>
> >>> Can we log this issue in bugs.openjdk.java.net/browse/JDK?
> >>
> >> You can always do that, but such a feature should be covered by a JEP.
> >
> > Only JDK devs have write access. All I can do is a bug report with
> > http://bugreport.java.com/. A JEP can probably initiated by you or your
> > colleagues. Even if, this probably won't make it into Java 9.
> 
> There is another bug https://bugs.openjdk.java.net/browse/JDK-6631053
> which is about referral for client. I've just added a comment on server
> and cross-realm routing.

I know this ticket and it does not describe what you think. This has
nothing to do with canonicalize in KdcOptions and it won't solve the problem.
Just tried that option on MIT Kerberos, no avail. This option applies to client
principals only and is useful when you perform kinit with an enterprise principal. 
Back to the issue, in short, if you receive
an LDAP referral from Active Directory, the URL contains not a hostname
but a naming context name. For such a NC name does not exist a SPN, Kerberos
will fail. Additional steps need to be taken to make it work. I am currently
assessing how I can sovle this for us, because this is AD-specific. Of course,
Oracle's support in extending their LDAP implementation would be awesome.
If you'd like to know more about this, see [1] and [2].

> > In the meantime, can this be documented someone in the official docs
> > of Oracle?
> 
> The documentation for Kerberos in Java is at
> 
>   http://download.java.net/jdk9/docs/technotes/guides/security/jgss/jgss-
> api-mechanism.html
> 
> It has not listed RFC 6806.

Exactly, that's the RFC I am talking about. Thank you for bringing this up.
People once in while ask for client referrals on Stack Overflow [3], I'd
rather see server referrals. Anyway, if you think that you or someone else
will pick up this RFC, I'd be more than happy to test that. I have three
forests, tens of domains to test and thousands of SPNs to test.

Michael

[1] http://mail.openjdk.java.net/pipermail/core-libs-dev/2016-April/040347.html
[2] http://tomcatspnegoad.sf.net/referral-handling
[3] http://stackoverflow.com/q/34398114/696632



More information about the security-dev mailing list