I am trying to use S4U2Proxy and S4U2Self introduced in Java 8. Unfortunately I was not successfull in finding those many examples. My requirement is the client would send its certificate. I should then delegate (using kerberos) his request, connect to KDC, get the TGT, get the service ticket to contact another server on user's behalf and then finally contact the actual service by providing the service ticket. If you have a working example for some dummy client and server, it would be great.
I have a code base which does the following -
1) Using JaaS, the service which is supposed to impersonate successfully logs into to KDC.
2) I now have the JAAS subject. It cantains the kerberos ticket (TGT and alll).
3) within the scope of the scope of the "subject", I am now running the below code. But it fails with an error "Invalid option setting in ticket request. (101)". Obviously there is a basic issue in my that I am missing. This error is occuring even before a request is made to KDC.
Obviously there will be questions about how the SPN has been set in the KDC? Whether that service account is authorized for delegation? Has the right SPN been assigned to that service account? When the user "monkey" denies all sort of delegation? etc etc. Right now I feel I have made the right settings in KDC. My problem is the above is occuring even before it hits the KDC. Any valid inputs will help.
I have a code base which does the following -
1) Using JaaS, the service which is supposed to impersonate successfully logs into to KDC.
2) I now have the JAAS subject. It cantains the kerberos ticket (TGT and alll).
3) within the scope of the scope of the "subject", I am now running the below code. But it fails with an error "Invalid option setting in ticket request. (101)". Obviously there is a basic issue in my that I am missing. This error is occuring even before a request is made to KDC.
Obviously there will be questions about how the SPN has been set in the KDC? Whether that service account is authorized for delegation? Has the right SPN been assigned to that service account? When the user "monkey" denies all sort of delegation? etc etc. Right now I feel I have made the right settings in KDC. My problem is the above is occuring even before it hits the KDC. Any valid inputs will help.