How do people make Java SPNEGO client work in Windows?

Question

In order to do client-side HTTP SPNEGO authentication with Java on Windows you need to set the Windows Registry key allowtgtsessionkey. This is well documented. What I do no

Answer 1

As of Java 13 there's now build-in support in the JDK for Windows' own GSS API (aka SSPI).

See Release Notes for Java 13 as well as JDK-6722928.

Answer 2

Thanks for referencing my thread on the security-dev mailing list ;-) My mid-term goal is to make this patch available to Java 6+ through the endorsed class path. You might be interested in this WAFFLE ticket which I have created recently: https://github.com/dblock/waffle/issues/50

I have evaluated WAFFLE too but it is so not-Java-GSS-like that one has to create duplicate code, this is something I want to avoid by all means.

This entire issue is not exactly Oracle's fault. Microsoft is simply blocking any call to the session ticket through the LSA CallPackage function. The pretext is security. I would really like to know how SSPI is able to create a service ticket when I cannot reasonable access the TGT. Therefore such a closed source solution sucks.

Right now at the moment, you have only three options:

1. Obtain the TGT again through Java means
2. Try WAFFLE
3. Write custom code

I have burried the crappy registry key because it does not work for local admin with domain accounts anyway. In my case, Tomcat dev on Windows I have resorted to call Java's kinit in the meantime.

Answer 3

There is now a really good solution for this included in the Apache HTTP Client, using JNA to get the ticket from the native SSPI API. See this answer:

https://stackoverflow.com/a/22865583/381161