[teiid-issues] [JBoss JIRA] (TEIID-3425) Pass-through kerberos authentication on IBM JDK - principal is not passed to MSSQL driver

RH Bugzilla Integration (JIRA) issues at jboss.org
Mon Apr 20 08:56:18 EDT 2015 

    [ https://issues.jboss.org/browse/TEIID-3425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13060590#comment-13060590 ] 

RH Bugzilla Integration commented on TEIID-3425:
------------------------------------------------

Van Halbert <vhalbert at redhat.com> changed the Status of [bug 1211539|https://bugzilla.redhat.com/show_bug.cgi?id=1211539] from NEW to ASSIGNED

> Pass-through kerberos authentication on IBM JDK - principal is not passed to MSSQL driver
> -----------------------------------------------------------------------------------------
>
>                 Key: TEIID-3425
>                 URL: https://issues.jboss.org/browse/TEIID-3425
>             Project: Teiid
>          Issue Type: Bug
>    Affects Versions: 8.7.1
>         Environment: OS: Fedora 20
> java: IBM JDK 1.7
> arch: x86_64
>            Reporter: Juraj Duráni
>            Assignee: Ramesh Reddy
>             Fix For: 8.12
>
>         Attachments: set-up-mssql-ibm.cli, sql2012krb-static-vdb.xml, sql2012krb-vdb.xml
>
>
> I have configured a datasource for MSSQL database. The datasource uses PassthroughIdentityLoginModule. I have also created a VDB which requires kerberos authentication. I am trying to pass credentials used for authentication CLIENT <=> TEIID to datasource so they can be used for authentication TEIID <=> MSSQL. 
> Method getConnection(..) (record in server log) is called with correct credentials, but SQLServerDriver throws an exception:
> initAuthInit failed privileged exception:-java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
> 	major string: Invalid credentials
> 	minor string: Cannot get credential from JAAS Subject for principal: default principal
> Some ideas, but I am only guessing:
> 1. I have seen same exception (on client side) if system property "javax.security.auth.useSubjectCredsOnly" is set to false on client side. As this property is set to true in the server config (<property name="javax.security.auth.useSubjectCredsOnly" value="true"/>), it is probably not passed to the driver (or is being ignored). 
> 2. SQLServerDriver sets two system properties by default (if no kerberos configuration file is specified) useDefaultCcache = true moduleBanner = false - see https://msdn.microsoft.com/en-us/library/gg558122%28v=sql.110%29.aspx - ibm kerberos login module will try to get TGT from ticket cache
> I have tried static kerberos configuration for same DS and there was no problem with it. 



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the teiid-issues mailing list