JEP 113: MS-SFU Kerberos 5 Extensions

AuthorWeijun Wang
OrganizationOracle
Created2011/4/22
Updated2013/1/14
TypeFeature
StateFunded
Componentcore/sec
ScopeJDK
RFE6355584
Internal-refsOracle:A360:683949
Discussionsecurity dash dev at openjdk dot java dot net
Start2011/Q3
EffortM
DurationM
Endorsed-byBrian Goetz
Funded-byOracle
Release8
TargetM5

Summary

Add the MS-SFU extensions to the JDK’s Kerberos 5 implementation.

Goals

  1. Implement the MS-SFU S4U2self protocol
  2. Implement the MS-SFU S4U2proxy protocol
  3. Make sure the implementation is interoperable with current MS and MIT implementations.

Motivation

In a typical network service, the front-end (say, a web server) often needs to access the back-end (say, a database server) on behalf of the client. Kerberos 5 supports delegation but demands all layers using Kerberos. In some cases, the authentication between the client and the front-end is not performed in Kerberos (for example, client logs in to a web server using digest authentication), and there are no Kerberos credentials to be delegated. Microsoft defines the Service for User (S4U) extension so that the front-end can still access the back-end on behalf of the client without the client’s credentials.

Also, with the standard Kerberos 5 delegation (which Microsoft calls open delegation), once you grant a service account an ability to delegate it can delegate to any service at all. This means that one needs to be very careful with this privilege. On the other hand, the MS-SFU delegation (Microsoft calls it constrained delegation) is much more secure. Here the administrator can precisely control which services a particular service can delegate to.

Microsoft started using S4U since Windows Server 2003, and the feature is also supported by MIT Kerberos 5 implementation recently (in krb5-1.8).

Description

S4U includes two extensions to the original Kerberos Protocol defined in RFC 4120: Service-for-User-to-Self (S4U2self) which allows a front-end service to obtain a Kerberos service ticket to itself on behalf of a user, and Service-for-User-to-Proxy (S4U2proxy), which enables it to obtain a service ticket on behalf of the user to a second, back-end service.

Collectively, these two extensions enable the front-end service to obtain a Kerberos service ticket on behalf of a user. The resulting service ticket can be used for:

We’ll provide some new public JGSS-API to support this feature. New config files and/or system properties are also likely to be added.

Alternatives

We can also enhance the native JGSS provider to make use of existing S4U feature from a native Kerberos implementation.

Testing

  1. Functional tests inside JDK. S4U support for the test KDC
  2. Interop test with Microsoft Active Directory and MIT’s Kerberos 5 implementation.

Impact