Hi,
I'm trying to use VSJ and written a standalone application to implement constrained delegation.Can any one of you please find the below mentioned active directory configurations and standalone Java Program which performs the Kerberos operations for constrained delegation and let me know what exactly went wrong.
Active Directory Configuration:
=====================
I have created two user accounts user1 and user2 and mapped these users with services in active directory 1.CS/service1@dev2008.COM 2.CS/service2@dev2008.COM. The first service (CS/service1@dev2008.COM) is configured such that it is only allowed to delegate to second service (CS/service2@dev2008.COM) i.e a constrained delegation is enforced on the first service.
Satndalone Java Program And Problem Noticed:
=================================
Generated TGT (ex: kinit -f user1@dev2008.COM password) for user1 on my dev machine and written standalone Java app which performs the below kerbersoe operations.
1. Fetches the user1 TGT from the cache.
2.Using user1 TGT, the Java app tries to get a service ticket through delegation to the service mapped to user1 (i.e 1.CS/service1@dev2008.COM).
3.Get the delegated credentials using service ticket (by accepting the service ticket on service1 (CS/service1@dev2008.COM) I get the delegated credentials).
4.Use the delegated credentials and try to fetch a service ticket to service2(2.CS/service2@dev2008.COM).This works fine.
However when I try to fetch a service ticket for some other service on the AD (the service not part of the spns mentioned under the constrained delegation of service1), I can still be able to get a service ticket.
Is there a specific API or configuration in VSJ which need to be called or enabled, to make constrained delegation work. i.e the st can be generated only for service2. or Am I done anything wrong?
I have tried using idm.allowS4U to true in vsj.properties file, but I'm not sure whether this file getting picked-up, even though the properties file is put in the classpath and also tried to point the file location through -Didm.propertyFileURL="C:\common\vsj.properties". (not sure how much for it is helpful).
Thanks,
Naga
Message was edited by: Naga
I'm trying to use VSJ and written a standalone application to implement constrained delegation.Can any one of you please find the below mentioned active directory configurations and standalone Java Program which performs the Kerberos operations for constrained delegation and let me know what exactly went wrong.
Active Directory Configuration:
=====================
I have created two user accounts user1 and user2 and mapped these users with services in active directory 1.CS/service1@dev2008.COM 2.CS/service2@dev2008.COM. The first service (CS/service1@dev2008.COM) is configured such that it is only allowed to delegate to second service (CS/service2@dev2008.COM) i.e a constrained delegation is enforced on the first service.
Satndalone Java Program And Problem Noticed:
=================================
Generated TGT (ex: kinit -f user1@dev2008.COM password) for user1 on my dev machine and written standalone Java app which performs the below kerbersoe operations.
1. Fetches the user1 TGT from the cache.
2.Using user1 TGT, the Java app tries to get a service ticket through delegation to the service mapped to user1 (i.e 1.CS/service1@dev2008.COM).
3.Get the delegated credentials using service ticket (by accepting the service ticket on service1 (CS/service1@dev2008.COM) I get the delegated credentials).
4.Use the delegated credentials and try to fetch a service ticket to service2(2.CS/service2@dev2008.COM).This works fine.
However when I try to fetch a service ticket for some other service on the AD (the service not part of the spns mentioned under the constrained delegation of service1), I can still be able to get a service ticket.
Is there a specific API or configuration in VSJ which need to be called or enabled, to make constrained delegation work. i.e the st can be generated only for service2. or Am I done anything wrong?
I have tried using idm.allowS4U to true in vsj.properties file, but I'm not sure whether this file getting picked-up, even though the properties file is put in the classpath and also tried to point the file location through -Didm.propertyFileURL="C:\common\vsj.properties". (not sure how much for it is helpful).
Thanks,
Naga
Message was edited by: Naga