]
Lin Gao moved WFLY-5557 to WFCORE-1091:
---------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-1091 (was: WFLY-5557)
Component/s: Domain Management
Remoting
Security
(was: Domain Management)
(was: Remoting)
(was: Security)
Affects Version/s: 2.0.0.CR9
(was: 10.0.0.CR3)
Kerberos authentication for remoting on hostname which contains
uppercase letter
--------------------------------------------------------------------------------
Key: WFCORE-1091
URL:
https://issues.jboss.org/browse/WFCORE-1091
Project: WildFly Core
Issue Type: Bug
Components: Domain Management, Remoting, Security
Affects Versions: 2.0.0.CR9
Reporter: Martin Choma
Assignee: Lin Gao
Priority: Critical
When EAP runs on server, which contains upper case in hostname (e.g.
localhost.Localdomain), it is unpossible to make kerberos authentication in remoting to
work properly.
JDK constructs TGT-REQ with lower case hostname. But remoting client create connection to
EAP with upper case letters, what cause problems.
RFC4120 "The Kerberos Network Authentication Service" [1] in chapter
"6.2.1. Name of Server Principals" requires ??Where the name of the host is not
case sensitive (for example, with Internet domain names) the name of the host MUST be
lowercase.??
Based on information from RFC, IMHO, EAP should handle such scenario. Either remoting
client should send lowercase hostname or security realm should map principal case
insensitively and look for lower-case keytab record, e.g. remote/localhost.localdomain.
[1]
https://www.ietf.org/rfc/rfc4120.txt