Add support for ticket delegation

[thmarti]

Hi

For our project we've extended spring-security-kerberos to support ticket delegation. If you're interested to have this included in the plugin we'd write a few tests and maybe a sample project and some documentaiton (whatever your exact requirements are).

Regards,
Thomas Marti

I have signed and agree to the terms of the SpringSource Individual Contributor License Agreement.

[jvalkeal]

Thanks, sounds interesting. We're about to release 1.0.0 so I'll take a deeper look after that.

[rwinch]

Rather than removing the constructor we should add an additional constructor to remain passive. Can you update the PR?

[rwinch]

@thmarti Thanks for your PR! I commented in the code diff.

[jethrobakker]

I have created some sample code to delegate tickets to other HTTP services. More info on:

http://blog.concetto.io/post/2015/09/30/Microservices-and-Kerberos-authentication

[thmarti]

Hi

Are you still interested in this? Is there more we need to do for you to accept this PR?

[thmarti]

Hi @bjarkih

You need a couple of things:

• Registry entry, if you use windows:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

• A krb5.conf file with forwardable = true
• Configure the krb5.conf file in the JVM: System.setProperty("java.security.krb5.conf","/absolute/path/to/krb5.conf");
• set refreshKrb5Config to true in SunJaasKerberosTicketValidator.java

public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
            HashMap<String, String> options = new HashMap<String, String>();
            options.put("useKeyTab", "true");
            options.put("keyTab", this.keyTabLocation);
            options.put("principal", this.servicePrincipalName);
            options.put("storeKey", "true");
            options.put("doNotPrompt", "true");
            options.put("refreshKrb5Config", "true"); // <------- Here!

[bjarkih]

Thanks @thmarti! I will give this a try and let you know how it goes.

[UlrichColby]

@thmarti I am trying to recreate your PR as well. I get the changes that you have made but I am trying to figure out how to get to the point that I am able to have a Subject object that I will ultimately allow me to call external services using a Subject.doAs method.

Thanks,
Ulrich

[dariusan]

@UlrichColby:
You can use the following code to get the subject after successfull ticket validation:

Object subject = sun.security.jgss.GSSUtil.getSubject( org.ietf.jgss.GSSManager.getInstance().createName("authenticatedUsernameFromPreviousStep", org.ietf.jgss.GSSName.NT_USER_NAME), context.getDelegCred())

[sterowney]

Thanks @thmarti for your pull request i've been able to integrate with a kerberized back end services really easily via my kerberos protected rest service. I had to update to the latest code from master and resolve the conflicts which can be found here https://github.com/sterowney/spring-security-kerberos

Is there any plans for a 1.0.2.RELEASE with these great features? Happy to help

[ludochane]

In SunJaasKerberosTicketValidator.LoginConfig.getAppConfigurationEntry(), didn't you have to put isInitiator to true ?
If I leave it to false, no delegate credentials are sent by the end user.

[thmarti]

@ludochane: To validate a ticket 'isInitiator' has to be false. What is your scenario? What exactly are you trying to do?

[ludochane]

Hi @thmarti,
I try to do credentials delegation. I made it work but in my case, calling context.getCredDelegState() always returns false. Except when I put isInitiator to true.

[dariusan]

What kind of Browser do use to request the initial SSO service ticket? If it is Chrome on Windows, you need to enable ticket delegation via a registry key. On Firefox you need to specify which HOST you trust for SSO and ticket delegation in about:config.

…

On Wed, Jul 5, 2017 at 2:45 PM, Ludovic Chane ***@***.***> wrote: Hi @thmarti <https://github.com/thmarti>, I try to do credentials delegation. I made it work but in my case, calling context.getCredDelegState() always returns false. Except when I put isInitiator to true. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#27 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABBhUNdRoJkM24QB02dx0QAdjToN0DT9ks5sK4VigaJpZM4EBs6y> .

[ludochane]

Hi @dariusan,
I use Firefox and Chrome on Windows.
For Firefox, I have network.automatic-ntlm-auth.trusted-uris and network.negotiate-auth.trusted-uris which are well set for my host. Nonetheless, if I don't put isInitator to true, I can't retrieve delegate credentials. Anyway, I made it work, but it is weird though...

[koraktor]

@ludochane You will have to set network.negotiate-auth.delegation-uris, too.

[ludochane]

@koraktor, oh yes network.negotiate-auth.delegation-uris was set too actually.

[GyllingSW]

What is the exact status on this topic?
I have a set of customer related project, that needs this functionality. I can manage to get it working for now, but it would be very good to know if there is an intention to actually merge this into the official release.
I can put in some hours if needed depending on your demand versus my capabilities

[rwinch]

Sorry for the delayed response on this ticket. If the PR can be rebased off of master (I'm a bit pressed for time to do this myself), I'd be glad to review and merge.

[sterowney]

It's updated here if needed? https://github.com/sterowney/spring-security-kerberos

[rwinch]

@sterowney Thanks! Can you submit a PR please?

[dariusan]

@ludochane isInitiator=true is required on Windows when you have "constrained delegation" enabled instead of "unconstrained delegation" in AD. @sterowney Maybe the devs could make this configurable in their "multitier implementation". This (constrained delegation) is going to be the default soon on Windows 10 Clients with Windows Credential Guard enabled.

[rwinch]

Closing in favor of #122