Using Waffle to obtain Service ticket

[uljana12]

I am in doubt if it is possible to use Waffle to obtain a ticket to specific Service (token). I can use GSS-API to obtain a Service ticket but I am interested if that is possible to do with Waffle. I have followed this discussion http://waffle.codeplex.com/discussions/267276  but I am not sure if that is possible to have the actual ticket. The scenario is the following: I have my Waffle client setup with Kerberos, I took Waffle JAAS client from here http://waffle.codeplex.com/workitem/11248. So I can login and get the IWindowsIdentety which presumably have TGT for my user, then I need to use this TGT to get a ticket to specific service (my service) so my user can be automatically logged in. Currently we use GSS-API for that and GSS function org.ietf.jgss.GSSContext.initSecContext but it is not enough for us because of some security restrictions it fails in some specific scenario. I know that Waffle uses SSPI and can call impersonate() on the server side to imitate the client currently logged in user, but I don't see how can I use that to get the Service token. 

[Daniel Doubrovkine]

The short answer is that I don't know.

You should be able to do it, but you need to find the Win32 API that performs this function.

On Thu, Aug 9, 2012 at 11:29 AM, uljana12 <ulja...@gmail.com> wrote:

I am in doubt if it is possible to use Waffle to obtain a ticket to specific Service (token). I can use GSS-API to obtain a Service ticket but I am interested if that is possible to do with Waffle. I have followed this discussion http://waffle.codeplex.com/discussions/267276  but I am not sure if that is possible to have the actual ticket. The scenario is the following: I have my Waffle client setup with Kerberos, I took Waffle JAAS client from here http://waffle.codeplex.com/workitem/11248. So I can login and get the IWindowsIdentety which presumably have TGT for my user, then I need to use this TGT to get a ticket to specific service (my service) so my user can be automatically logged in. Currently we use GSS-API for that and GSS function org.ietf.jgss.GSSContext.initSecContext but it is not enough for us because of some security restrictions it fails in some specific scenario. I know that Waffle uses SSPI and can call impersonate() on the server side to imitate the client currently logged in user, but I don't see how can I use that to get the Service token. 

--

dB. | Moscow - Geneva - Seattle - New York
dblock.org - @dblockdotorg

[uljana12]

I have the code which performs that using native Windows API written in C++ and there are all the functions for that I can post it for you. Thats why I am thinking how can I implement the same in Java, maybe something like native Java GSS-API could be of any use. 

[Daniel Doubrovkine]

Waffle uses JNA,  https://github.com/twall/jna/ , which is a good place to start.

Post the C++ code here if that's not helpful.

[uljana12]

I created an example of how to obtain Kerberos service ticket with Waffle, also changed some of your Waffle code. Actually it solves another critical issue which was described here https://groups.google.com/forum/?fromgroups#!topic/waffle-users/mLSv4BZ9Hms%5B1-25%5D "Kerberos TGT Session Key restriction for Domain user in local Administrators group with UAC enabled " for Windows. I didn't find anyone who fixed that issue before. My solution is quite easy, simple and clean if you are interested I can share.

[Daniel Doubrovkine]

Yes, please share. Ideally I'd like a proper entry to the FAQ,  https://github.com/dblock/waffle/wiki/Frequently-Asked-Questions. You can fork the FAQ and contribute to it directly.

If there're fixes/changes/improvements to Waffle, please fork it off  https://github.com/dblock/waffle and make changes and pull requests into the next release, 1.5 branch.

Don't hesitate to ask if you need help.

[Doug Fisher]

yes, please share.

[uljana12]

Here is described my solution.

So previously we used GSSAPI for acquiring service ticket which worked perfectly fine for all platforms that we support except Windows 7, where for single sign on with UAC enabled you have to either Run as Administrator or disable UAC. This was not acceptable for us.

I found a way to do this on Windows 7 using SSPI protocol and WAFFLE. So for this code to work you will need latest version of Waffle I guess 1.5 from web site http://waffle.codeplex.com.

So the code that we use to get the service ticket using SSPI is the following, which return the same token as when using GSSAPI:

public byte[] getServiceTicketSSPI(final String serviceName) {

    final String securityPackage = "Kerberos";

    IWindowsCredentialsHandle clientCredentials = null;

    WindowsSecurityContextImpl clientContext = null;

    final String currentUser = WindowsAccountImpl.getCurrentUsername();

    try {

      clientCredentials = WindowsCredentialsHandleImpl.getCurrent(currentUser, securityPackage);

      clientCredentials.initialize();

      // initial client security context

      clientContext = new WindowsSecurityContextImpl();

      clientContext.setPrincipalName(currentUser);

      clientContext.setCredentialsHandle(clientCredentials.getHandle());

      clientContext.setSecurityPackage(securityPackage);

      final SecBufferDesc continueToken = null;

      do {

        clientContext.initialize(clientContext.getHandle(), continueToken, serviceName);

      } while (clientContext.getContinue());

      return clientContext.getToken();

    } finally {

      if (clientContext != null) {

        clientContext.dispose();

      }

      if (clientCredentials != null) {

        clientCredentials.dispose();

      }

    }

  }

We only use this for Windows platform, all other platforms we support GSSAPI. We rely on that solution because we used that for many years for all windows platforms, but native implementation in C++. Now we have the same solution in Java thanks to WAFFLE.

Regards,

Ulyana

[Daniel Doubrovkine]

Thanks for this! 

In 1.5 the FAQ is now in git, it would be nice if you could contribute a proper FAQ  to the 1.5 branch. Let me know if you need help with how to do that.

cheers

dB.

[Ulyana Tsyukh]

I don't understand what you mean by 'a proper FAQ', all I can do is to copy paste my post there.

[Daniel Doubrovkine]

The FAQ has moved into the docs in markdown format. See https://github.com/dblock/waffle/blob/1.5/Docs/FAQ.md

You can now fork the project, modify the FAQ (by adding a new markdown formatted file under Docs/faq, linking it from FAQ.md) and submit a pull request.

[sanja...@gmail.com]

Hi Uljana,

 

I am also trying the Waffle to access Kerberos Ticket on Windows 7 with JAAS. I am newbie to the kerberos and Waffle. We need to implement the solution exactly the same as you have implemented.

 

I was not able to get Waffle JAAS client from the link you have mentioned. Also, could you please guide me with the detailed steps, code etc. to implement the solution.

 

Thanks,

Sanjay

[Ulyana Tsyukh]

Hi,

I already posted my solution. 

Best Regards.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[sanja...@gmail.com]

Sorry, but I couldn't find the link for the complete solution. Could you please share a link or code etc.

 

Thanks,

Sanjay

[sanja...@gmail.com]

The Waffle JAAS client is not available at the link you have mentioned. Is that possible for you to share your code for JAAS client module using Waffle. I am stuck up with the solution and would be extremely grateful if you can share how to acess kerbrors ticket using JAAS and Waffle.

 

- Thanks

Sanjay

[Ulyana Tsyukh]

The Waffle 1.5 is available from the link I mentioned. Please read carefully I described my solution in the previous post already together with the code. I can't help you with anything else. 

[Daniel Doubrovkine]

I'll copy paste the code from above as a PSA. Waffle 1.5, which you need to run this code, has since shipped and is available from the download link on https://github.com/dblock/waffle.

[Daniel Doubrovkine]

Btw, Ulyana, thank you. Still would love you to contribute an FAQ, it's far down on my TODO list :)

[sanja...@gmail.com]

Thanks for your repsonse and sorry to bother you again as I am newbie to the waffle and kerberos. I would greatly appreciate if you can provide some example or explaination of how to retreive kerberos ticket using Waffle JAAS client for stand alone java application.

 

Let me try to explain my requirement in some simple way:

We have a stand-alone java application running on windows where we are using JAAS and Kerberos SSO. For windows 7, the session key is not sent with the TGT and we need to make registry entry for the same. As we want to avoid the registry entry and retrieving TGT, I was looking for a solution to handle this situation and came to know about waffle. 

 

So, if you could provide an example of working with waffle jaas client and kerberos would be great help to me.

 

Thanks,

Sanjay

[Daniel Doubrovkine]

I am not sure what else people on this thread can do to help you. You're asking someone to spend many hours writing an example that will fit your application perfectly, for a problem they don't have. You have all the building blocks, including code to retrieve the TGT, which is what you've been asking for. You have to do your own integration work.

[sanja...@gmail.com]

Thanks Daniel. I understand the building blocks are there but the JAAS client I see is based on servlet request object while I want to use it for stand alone application. I just want if you or someone can throw some pointers/hint/flow of clubbing these blocks to retrieve Kerberos ticket with stand-alone java app on Windows 7

 

Thanks,

Sanjay

[sanja...@gmail.com]

I just want a brief on retrieving Kerberos TGT and TGS (I think Ulyana has already shared code for this) on Windows 7 with stand-alone java app using JAAS. Also would like to know the server side code.

[Daniel Doubrovkine]

Sanjay,

May I suggest you ask a colleague to help you with this? As you said, you're just discovering kerberos, waffle, etc., and what you're asking is quite advanced with many moving parts.

Sorry I can't be more helpful.

-dB.

[sanja...@gmail.com]

ok. If you can redirect me to any documentation/link that can help me to understand waffle using kerberos (specially how to retrieve TGT using WindowsLoginModule as we do that with Krb5LoginModule). - Thanks!!

[Daniel Doubrovkine]

Waffle uses SSPI: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380493(v=vs.85).aspx

[Sanjay Amin]

Thanks Daniel. The link you provided is a good source to understand SSPI and windows authentication. I am now trying with Waffle code and have one question (I might be asking some basic question), answer of tha would be helpful for me to go ahead and find out solution to my requirements.

 

if we use the securityPackage as "Kerberos" and retrieve securityContext in following way - (As per waffle code),

 

  String securityPackage = "Kerberos";
  // security context
  IWindowsSecurityContext ctx = WindowsSecurityContextImpl.getCurrent(
                                                          securityPackage, WindowsAccountImpl.getCurrentUsername());

 byte[] token =  ctx.getToken();

Does this token is known as TGT? - (I understand that we don't have to worry about the TGT when working with SSPI, but just wanted to map it to make my understanding clear).

Do we need to send this token to server/kdc to retrieve service ticket (TGS) with the SPN ?

 

It would be great if you can explain a bit to help me understanding it better.. Thanks!!

[Daniel Doubrovkine]

I believe so, yes.

[Sanjay Amin]

Hi,

 

I have retrieved service ticket using SSPI as example given in this conversation thread. I want to share the retrieved service ticket with other JAAS login module so that they don't need to go through the login process.

 

I have created a LoginModule class (TestCustomLoginModule) and put service ticket in shared state in it's login method as following:

 

public boolean login() throws LoginException {
     byte[] serviceTicket = SSPIExample.getServiceTicketSSPI(SPN);
     previouslySharedState.put("javax.security.auth.kerberos.KerberosTicket", serviceTicket);
        return true;
    }

 

Am I setting the ticket in correct way? What should be combination of useFirstPass and useTicketCache in jass config file? Are following entries correct to share this ticket?

 

My jass.config file has following entries:

 

WinKerberos {
   test.waffle.loginmodule.TestCustomLoginModule optional;

   com.sun.security.auth.module.Krb5LoginModule sufficient
   useFirstPass=true
   useTicketCache=true   debug=true;
}; OnlineCheck {
   com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false;
}; WinLocal {
   com.sun.security.auth.module.NTLoginModule required;
};

 

Thanks,

Sanjay

[VamsiKrishna Sribhashyam]

Hi Sanjay,

What happened after this? Did you manage to resolve the issue?