Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8506

Elytron SPNEGO authentication in deployment over HTTPS, EAP requests for HTTPS/hostname ticket.

    Details

      Description

      Accessing deployment secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/hostname.

      See network dump krb_https_deployment.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.

      If I configure HTTPS/hostname in KDC and kerberos credential factory to use principal HTTPS/hostname it works correctly. But I still believe it is bug:

      • At least it is not consistent with legacy management interface behaviour (JBEAP-8572).
      • found 2 sources describing protocol and service does not match 1:1 and for https protocol HTTP/hostname SPN should be used [1][2]

      [1] https://sites.google.com/a/chromium.org/dev/developers/design-documents/http-authentication
      [2] https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on-internet-information-services

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                  Tester:
                  Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: