Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-921

SPNEGO authentication fails on Windows-KDC

XMLWordPrintable

      Inside the "SPNEGOLoginModule" (3.0.0.CR2-SNAPSHOT) the run()-Method of inner class "AcceptSecContext" checks for existence of Kerberos-oid within the SPNEGO-Token. But it checks solely the first element of the mechanism-list:

      	if (mechList.get(0).equals(kerberos))
	{
	 gssToken = negTokenInit.getMechToken();
	}
	else
	{
	 boolean kerberosSupported = false;
	 ...

      But SPNEGO-Token from Windows-KDC (2008 R2) supports four types of authentication (oids):

      • oid: 1.2.840.48018.1.2.2 (Windows Kerberos V5)
      • oid: 1.2.840.113554.1.2.2 (Kerberos V5 - we are looking for)
      • oid: 1.3.6.1.4.1.311.2.2.30 NegoEx
      • oid: 1.3.6.1.4.1.311.2.2.10 NTLM

      So Kerberos-check within run()-method should iterate the mechList until it founds Kerberos-V5-oid:

                     for (Oid oid : mechList)
                {
             	   if (oid.equals(kerberos))
                   {
            		   gssToken = negTokenInit.getMechToken();
                           break;
            	   }
               }

              rnetuka@redhat.com Radovan Netuka
              jphilou Harald Krause (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: