Reputation: 7922
Java Kerberos SSO and Windows NT-ENTERPRISE name type
There are issues with users authenticating against a Java Kerberos enabled SSO app. It seems that login fails when Windows sends a name type of NT-ENTERPRISE instead of NT-PRINCIPAL.
I looked at javax.security.auth.kerberos.KerberosPrincipal, and the NT-ENTERPRISE type seems to be unsupported. What can we do? Is there a way to prevent Windows from using that type?
We only have one realm, so I don't know why this type is even used. Also, this problem affects only some clients.
Upvotes: 0
Views: 731
Answers (1)
Reputation: 18415
Java does not support the enterprise principal format. This does not matter actually. When the client presents a service ticket, the KDC always translates the eUPN to a iUPN, so Kerberos always uses the implicit UPN.
Note: Windows does that by default. MIT Kerberos requires canonicalize to be true.
Upvotes: 1
Related Questions
- jdbc kerberos oracle authentication
- Java process for authentication on Windows against AD (kerberos)
- Java SSO: Kerberos authentication against Active Directory
- Windows integrated authentication for java web application SSO
- Looking to setup SSO in JBoss EAP 7 using kerberos on windows server
- Apereo CAS use NTLM instead of Kerberos
- Java Kerberos Authentication
- Java Kerberos authentication using Active Directory User Principal Name
- Java and Kerberos
- Kerberos with Java