Waffle SSPI Kerberos Single Sign On: Configuring the Encryption Ciphers, and Debugging

ぐ巨炮叔叔 提交于 2021-01-29 09:02:25

问题


How can we configure which Encryption Ciphers a Java Waffle SSPI Kerberos Single Sign On (SSO) client should use?

How can we best debug which ciphers are actually being used by the client and server?

Background

We need to restrict the Encryption Ciphers used for Kerberos SSO, removing ciphers now considered weak.

Our Setup

The Java Application Server implements SSO via pure Java GSSAPI.

The Java Client implements SSO by two configurable SSO APIs:

  • On Linux or Windows 10 without Credential Guard active: via pure Java GSSAPI.

  • On Windows 10 with Credential Guard Active: via Java Waffle + Microsoft SSPI API .

The Kerberos “back-end” is Windows Active Directory.

What we already know

On the pure Java GSSAPI implementations (Server and Client) we can set the system property java.security.krb5.conf to configure a Krb5.conf file in which we can explicitly configure the encryptions types e.g.

[libdefaults]

default_tkt_enctypes = aes256-cts

default_tgs_enctypes = aes256-cts

permitted_enctypes = aes256-cts

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part4.html

With GSSAPI we can get debug information with the the system property sun.security.krb5.debug=true

However on the Waffle SSPI client, neither system properties have any effect. In retrospect this is not surprising because SSPI is not calling the java Runtime kerberos code.

My guess is that SSPI takes the permitted encryption types from the Windows Operating System, and that we may not be able to configure the types from the java application.

The Waffle website suggests the following link for Kerberos Debugging:

https://support.microsoft.com/en-us/help/262177/how-to-enable-kerberos-event-logging

来源:https://stackoverflow.com/questions/60205241/waffle-sspi-kerberos-single-sign-on-configuring-the-encryption-ciphers-and-deb

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!