IBM Support

The credential is not propagated when you select the Enable delegation of Kerberos credentials option for SPNEGO Web authentication

Troubleshooting


Problem

When you configure Simple and Protected GSS-API Negotiation (SPNEGO), if you select the []Enable delegation of Kerberos credentials[] option, the GSSCredential is not serializable and cannot be propagated to a downstream server.

Resolving The Problem

The following information will be changed in the Information Center for IBM WebSphere Application Server:

  • In the "SPNEGO Web authentication filter values" topic, the following new information will be added under the description for the Enable delegation of Kerberos credentials option:

    Note: If this option is enabled (which it is by default), the GSSCredential is not serializable and cannot be propagated to the downstream server.The client Kerberos delegation credential is extracted and the KRBAuthnToken base is created. The KRBAuthnToken contains the client Kerberos delegation and can be propagated to a downstream server.

    If you want to propagate the KRBAuthnToken to a downstream server, the client Ticket Granting Ticket (TGT) must contain addressless and forwardable options. If a client TGT is addressed, the downstream server does not have a client GSS delegation credential after it is propagated.

    You can extract the client delegation GSSCredential from the KRBAuthnToken by using the KRBAuthnToken.getGSSCredential() method."

  • In the "SPNEGO Web authentication filter values" topic, under the description for the Enable delegation of Kerberos credentials option, the following text will be changed:

    The developer must interact directly with the Kerberos Ticket Granting Service (TGS) to obtain a Ticket Granting Ticket (TGT) using the delegated Kerberos credentials on behalf of the user originating the request."

    The new text will contain the following statement:
    "The developer must interact directly with the Kerberos KDC to obtain a Kerberos Ticket Granting Service (TGS) using the delegated Kerberos credentials on behalf of the user who originated the request."

  • In the "Single sign-on for HTTP requests using SPNEGO Web authentication" topic, under the "SPNEGO Web authentication in a single Kerberos realm" section for both Figure 2 and Figure 3, Step 7 will be changed to the following text:

    "WebSphere Application Server validates the SPNEGO token. If the validation is successful, it retrieves the user ID and the GSS delegation credential from the SPNEGO token. Create a KRBAuthnToken with a client Kerberos credential."

  • In the "Adding or modifying SPNEGO web authentication filters using the administrative console" topic, in optional step 11 for the Enable delegation of Kerberos credentials option, the following text has been added:

    "Note: If this option is enabled (which it is by default), the GSSCredential is not serializable and cannot be propagated to the downstream server.The client Kerberos delegation credential is extracted and the KRBAuthnToken base is created. The KRBAuthnToken contains the client Kerberos delegation and can be propagated to a downstream server.

    If you want to propagate the KRBAuthnToken to a downstream server, the client Ticket Granting Ticket (TGT) must contain addressless and forwardable options. If a client TGT is addressed the downstream server does not have a client GSS delegation credential after it is propagated.

    You can extract the client delegation GSSCredential from the KRBAuthnToken by using the KRBAuthnToken.getGSSCredential() method."

  • In the "Mapping of a client Kerberos principal name to the WebSphere user registry ID" topic, you must get a Kerberos principal name from a KRBAuthnToken token by calling the KRBAuthnToken.getTokenPrincipal method. Also, you must get a Kerberos real name from a KRBAuthnToken token by calling the KRBAuthnToken.getTokenRealm method. However, do not obtain the Kerberos principal name directly from a subject as indicated in the topic.

  • After you authenticate to WebSphere Application Server or after you propagate the login, you might have GSSCredential and KRBAuthnToken token in a subject. If you want to use GSSCredential for your application, you first must get the GSSCredential from the KRBAuthnToken token by calling the KRBAuthnToken.getGSSCredential method and then place or replace it in the subject.

Related Information

Release notes for Version 7.0

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 June 2019

UID

swg21317980

Page Feedback