A Bug in Kerberos used by Java's HTTP

Sorry, I didn't notice a thread on Oracle's forum until recently JDK-8028351 was reported to us directly. After some investigation, the bug is resolved in 7u60/8. Hopefully it's not too late for our customers.

A web page that is behind "Windows Authentication" is in fact protected by Kerberos and NTLM, and is accessible whichever auth scheme a client supports. In JDK 7, Kerberos works out-of-the-box on a Windows machine that already joins a domain (well, not exactly, see below), so it's always tried first. However, without the allowtgtsessionkey registry key being set, Java still needs a password to login. There is no way to get this password (unless you program JAAS directly) so Java tries the empty password. Obviously, the KDC (Windows domain controller) does not like it and blocks the user if it's tried multiple times.

The thread mentions the .java.login.config trick. When Java wants to use that file but cannot find it, it just fails without trying to login at all. The bug report mentions that disabling kerberos pre-authentication is also a workaround. In this case, no encrypted timestamp is sent so the KDC has no chance to know the client does not have the correct password.

In all these cases, Kerberos always fails and Java falls back to NTLM and the web page is still reached. However, the terrible thing about the empty password case is that you can read the page when you first access it, but if you access it again and again, your account is finally blocked and even NTLM does not work anymore.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today