Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Using Java 8 S4U2Proxy and S4U2Self - A good example needed  RSS feed

 
Nischit Shetty
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to use S4U2Proxy and S4U2Self introduced in Java 8. Unfortunately I was not successfull in finding those many examples. My requirement is the client would send its certificate. I should then delegate (using kerberos) his request, connect to KDC, get the TGT, get the service ticket to contact another server on user's behalf and then finally contact the actual service by providing the service ticket. If you have a working example for some dummy client and server, it would be great.

I have a code base which does the following -
1) Using JaaS, the service which is supposed to impersonate successfully logs into to KDC.
2) I now have the JAAS subject. It cantains the kerberos ticket (TGT and alll).
3) within the scope of the scope of the "subject", I am now running the below code. But it fails with an error "Invalid option setting in ticket request. (101)". Obviously there is a basic issue in my that I am missing. This error is occuring even before a request is made to KDC.



Obviously there will be questions about how the SPN has been set in the KDC? Whether that service account is authorized for delegation? Has the right SPN been assigned to that service account? When the user "monkey" denies all sort of delegation? etc etc. Right now I feel I have made the right settings in KDC. My problem is the above is occuring even before it hits the KDC. Any valid inputs will help.
 
Nischit Shetty
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After some reasearch, I was able to perform the S4u2self and s4u2proxy using java 8. Surpised that atleast one example should have been provided by Oracle documentation. Anyhow, I am now moving to next stage. Now another scenario that I have to handle is cross-domain kerberos certificate delegation. From the java 8 documentation that I have seen so far, it infers that currently cross-realm is not supported. Is it still true?
 
Rob Isaacs
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Nischit,

I have to work with S4U2Proxy and S4U2Self as well, but I too cannot find any good examples. You mentioned you were able to get a result. Would you mind sharing that result?


On a side note, while searching for a solution, I found you posted this question not just here but also at http://stackoverflow.com/questions/31051468/using-java-8-s4u2proxy-a-good-example-needed and https://community.oracle.com/thread/3758634. You should tell people when you cross post, so people won't waste time answering your question when it already has been answered somewhere else. This is somewhere in the FAQ (can't find the link right now).
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!